Articles / SuSE: New apache2 packages ...
SuSE: New apache2 packages fix security issues
This update fixes several security issues in the Apache2 webserver. The severe ByteRange remote denial of service attack was fixed, configuration options used by upstream were added. Allow MaxRanges Number of ranges requested, if exceeded, the complete content is served. Two fnmatch denial of service attacks were fixed that could exhaust the servers memory. Another memoryleak was fixed that could exhaust httpd server memory via unspecified methods. This update also includes fixes a fix for a mod_proxy reverse exposure via RewriteRule or ProxyPassMatch directives. Updated packages are available from download.opensuse.org.
SUSE Security Update: Security update for apache2
______________________________________________________________________________
Announcement ID: SUSE-SU-2011:1229-1
Rating: important
References: #713966 #718106 #719236 #722545
Cross-References: CVE-2011-3192
Affected Products:
SUSE Linux Enterprise Server 10 SP3
______________________________________________________________________________
An update that solves one vulnerability and has three fixes
is now available.
Description:
This update fixes several security issues in the Apache2
webserver.
*
The severe ByteRange remote denial of service attack
(CVE-2011-3192) was fixed, configuration options used by
upstream were added.
Introduce new config option: Allow MaxRanges Number
of ranges requested, if exceeded, the complete content is
served. default: 200 0|unlimited: unlimited none: Range
headers are ignored. This option is a backport from 2.2.21.
*
CVE-2011-0419,CVE-2011-1928: Two fnmatch denial of
service attacks were fixed that could exhaust the servers
memory.
*
CVE-2010-1623: Another memoryleak was fixed that
could exhaust httpd server memory via unspecified methods.
*
CVE-2011-3368: This update also includes fixes a fix
for a mod_proxy reverse exposure via RewriteRule or
ProxyPassMatch directives.
Security Issue references:
* CVE-2011-3192
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
Indications:
Please install this update.
Package List:
- SUSE Linux Enterprise Server 10 SP3 (i586 s390x x86_64):
apache2-2.2.3-16.32.37.1
apache2-devel-2.2.3-16.32.37.1
apache2-doc-2.2.3-16.32.37.1
apache2-example-pages-2.2.3-16.32.37.1
apache2-prefork-2.2.3-16.32.37.1
apache2-worker-2.2.3-16.32.37.1
References:
http://support.novell.com/security/cve/CVE-2011-3192.html
https://bugzilla.novell.com/713966
https://bugzilla.novell.com/718106
https://bugzilla.novell.com/719236
https://bugzilla.novell.com/722545
http://download.novell.com/patch/finder/?keywords=93f3f0fb2aeae6252ba07a3f17184bb0
