Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 555
Alerts This Week
Warning Icon 1 555

openSUSE 15.0: 2019:1209-1 Significant Apache2 Denial of Service Threats

opensuse
Calendar Grey April 16, 2019
Dist Opensuse Esm H88
The latest security patch for Apache2 on openSUSE Leap resolves critical vulnerabilities that could lead to unauthorized access and exploitation.
An update that fixes 5 vulnerabilities is now available.

Description

This update for apache2 fixes the following issues:

* CVE-2019-0211: A flaw in the Apache HTTP Server allowed less-privileged

child processes or threads to execute arbitrary code with the privileges

of the parent process. Attackers with control over CGI scripts or

extension modules run by the server could have abused this issue to

potentially gain super user privileges. [bsc#1131233]

* CVE-2019-0220: The Apache HTTP server did not use a consistent strategy

for URL normalization throughout all of its components. In particular,

consecutive slashes were not always collapsed. Attackers could

potentially abuse these inconsistencies to by-pass access control

mechanisms and thus gain unauthorized access to protected parts of the

service. [bsc#1131241]

* CVE-2019-0217: A race condition in Apache's "mod_auth_digest" when

running in a threaded server could have allowed users with valid

credentials to authenticate using...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1209=1

Package List

- openSUSE Leap 15.0 (i586 x86_64):

apache2-2.4.33-lp150.2.17.1

apache2-debuginfo-2.4.33-lp150.2.17.1

apache2-debugsource-2.4.33-lp150.2.17.1

apache2-devel-2.4.33-lp150.2.17.1

apache2-event-2.4.33-lp150.2.17.1

apache2-event-debuginfo-2.4.33-lp150.2.17.1

apache2-example-pages-2.4.33-lp150.2.17.1

apache2-prefork-2.4.33-lp150.2.17.1

apache2-prefork-debuginfo-2.4.33-lp150.2.17.1

apache2-utils-2.4.33-lp150.2.17.1

apache2-utils-debuginfo-2.4.33-lp150.2.17.1

apache2-worker-2.4.33-lp150.2.17.1

apache2-worker-debuginfo-2.4.33-lp150.2.17.1

- openSUSE Leap 15.0 (noarch):

apache2-doc-2.4.33-lp150.2.17.1

References

https://www.suse.com/security/cve/CVE-2019-0196.html

https://www.suse.com/security/cve/CVE-2019-0197.html

https://www.suse.com/security/cve/CVE-2019-0211.html

https://www.suse.com/security/cve/CVE-2019-0217.html

https://www.suse.com/security/cve/CVE-2019-0220.html

https://bugzilla.suse.com/1131233

https://bugzilla.suse.com/1131237

https://bugzilla.suse.com/1131239

https://bugzilla.suse.com/1131241

https://bugzilla.suse.com/1131245

--

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2019:1209-1
Rating: important
Affected Products: openSUSE Leap 15.0

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.