Security update for apache2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:0889-1 Final 1 1 2019-04-05T06:57:14Z current 2019-04-05T06:57:14Z 2019-04-05T06:57:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: Security issues fixed: - CVE-2018-17199: A bug in Apache's 'mod_session_cookie' lead to an issue where the module did not respect a cookie's expiry time. [bsc#1122839] * CVE-2019-0220: The Apache HTTP server did not use a consistent strategy for URL normalization throughout all of its components. In particular, consecutive slashes were not always collapsed. Attackers could potentially abuse these inconsistencies to by-pass access control mechanisms and thus gain unauthorized access to protected parts of the service. [bsc#1131241] * CVE-2019-0217: A race condition in Apache's 'mod_auth_digest' when running in a threaded server could have allowed users with valid credentials to authenticate using another username, bypassing configured access control restrictions. [bsc#1131239] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-889,SUSE-SLE-SERVER-12-2019-889 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20190889-1/ Link for SUSE-SU-2019:0889-1 https://lists.suse.com/pipermail/sle-security-updates/2019-April/005303.html E-Mail link for SUSE-SU-2019:0889-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1122839 SUSE Bug 1122839 https://bugzilla.suse.com/1131239 SUSE Bug 1131239 https://bugzilla.suse.com/1131241 SUSE Bug 1131241 https://www.suse.com/security/cve/CVE-2018-17199/ SUSE CVE CVE-2018-17199 page https://www.suse.com/security/cve/CVE-2019-0217/ SUSE CVE CVE-2019-0217 page https://www.suse.com/security/cve/CVE-2019-0220/ SUSE CVE CVE-2019-0220 page SUSE Linux Enterprise Server 12-LTSS apache2-2.4.10-14.36.1 apache2-devel-2.4.10-14.36.1 apache2-doc-2.4.10-14.36.1 apache2-event-2.4.10-14.36.1 apache2-example-pages-2.4.10-14.36.1 apache2-prefork-2.4.10-14.36.1 apache2-utils-2.4.10-14.36.1 apache2-worker-2.4.10-14.36.1 apache2-2.4.10-14.36.1 as a component of SUSE Linux Enterprise Server 12-LTSS apache2-doc-2.4.10-14.36.1 as a component of SUSE Linux Enterprise Server 12-LTSS apache2-example-pages-2.4.10-14.36.1 as a component of SUSE Linux Enterprise Server 12-LTSS apache2-prefork-2.4.10-14.36.1 as a component of SUSE Linux Enterprise Server 12-LTSS apache2-utils-2.4.10-14.36.1 as a component of SUSE Linux Enterprise Server 12-LTSS apache2-worker-2.4.10-14.36.1 as a component of SUSE Linux Enterprise Server 12-LTSS In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. CVE-2018-17199 SUSE Linux Enterprise Server 12-LTSS:apache2-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-doc-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-example-pages-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-prefork-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-utils-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-worker-2.4.10-14.36.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190889-1/ https://www.suse.com/security/cve/CVE-2018-17199.html CVE-2018-17199 https://bugzilla.suse.com/1122838 SUSE Bug 1122838 https://bugzilla.suse.com/1122839 SUSE Bug 1122839 In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. CVE-2019-0217 SUSE Linux Enterprise Server 12-LTSS:apache2-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-doc-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-example-pages-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-prefork-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-utils-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-worker-2.4.10-14.36.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190889-1/ https://www.suse.com/security/cve/CVE-2019-0217.html CVE-2019-0217 https://bugzilla.suse.com/1131239 SUSE Bug 1131239 A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. CVE-2019-0220 SUSE Linux Enterprise Server 12-LTSS:apache2-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-doc-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-example-pages-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-prefork-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-utils-2.4.10-14.36.1 SUSE Linux Enterprise Server 12-LTSS:apache2-worker-2.4.10-14.36.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190889-1/ https://www.suse.com/security/cve/CVE-2019-0220.html CVE-2019-0220 https://bugzilla.suse.com/1131241 SUSE Bug 1131241