Alerts This Week
Warning Icon 1 677
Alerts This Week
Warning Icon 1 677

openSUSE Leap 42.3: 2019:1190-1 Important Apache2 Access Control Flaws

opensuse
Calendar Grey April 11, 2019
Dist Opensuse Esm H88
Important security patch released for openSUSE Leap 42.3 apache2, addressing various major vulnerabilities. Discover further details about the update.
An update that fixes 5 vulnerabilities is now available.

Description

This update for apache2 fixes the following issues:

* CVE-2019-0220: The Apache HTTP server did not use a consistent strategy

for URL normalization throughout all of its components. In particular,

consecutive slashes were not always collapsed. Attackers could

potentially abuse these inconsistencies to by-pass access control

mechanisms and thus gain unauthorized access to protected parts of the

service. [bsc#1131241]

* CVE-2019-0217: A race condition in Apache's "mod_auth_digest" when

running in a threaded server could have allowed users with valid

credentials to authenticate using another username, bypassing configured

access control restrictions. [bsc#1131239]

* CVE-2019-0211: A flaw in the Apache HTTP Server allowed less-privileged

child processes or threads to execute arbitrary code with the privileges

of the parent process. Attackers with control over CGI scripts or

extension modules run by the server could have...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory denial of service access control important apache2 openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-1190=1

Package List

- openSUSE Leap 42.3 (i586 x86_64):

apache2-2.4.23-45.1

apache2-debuginfo-2.4.23-45.1

apache2-debugsource-2.4.23-45.1

apache2-devel-2.4.23-45.1

apache2-event-2.4.23-45.1

apache2-event-debuginfo-2.4.23-45.1

apache2-example-pages-2.4.23-45.1

apache2-prefork-2.4.23-45.1

apache2-prefork-debuginfo-2.4.23-45.1

apache2-utils-2.4.23-45.1

apache2-utils-debuginfo-2.4.23-45.1

apache2-worker-2.4.23-45.1

apache2-worker-debuginfo-2.4.23-45.1

- openSUSE Leap 42.3 (noarch):

apache2-doc-2.4.23-45.1

References

https://www.suse.com/security/cve/CVE-2019-0196.html

https://www.suse.com/security/cve/CVE-2019-0197.html

https://www.suse.com/security/cve/CVE-2019-0211.html

https://www.suse.com/security/cve/CVE-2019-0217.html

https://www.suse.com/security/cve/CVE-2019-0220.html

https://bugzilla.suse.com/1131233

https://bugzilla.suse.com/1131237

https://bugzilla.suse.com/1131239

https://bugzilla.suse.com/1131241

https://bugzilla.suse.com/1131245

--

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2019:1190-1
Rating: important
Affected Products: openSUSE Leap 42.3

Topics%20covered

Topics Covered

security advisory denial of service access control important apache2 openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here