| Description: | Summary:
The remote host is missing an update for the 'Apache' package(s) announced via the SUSE-SU-2013:0389-1 advisory.
Vulnerability Insight:
This update fixes the following issues:
* CVE-2012-4557: Denial of Service via special requests in mod_proxy_ajp
* CVE-2012-0883: improper LD_LIBRARY_PATH handling
* CVE-2012-2687: filename escaping problem
Additionally, some non-security bugs have been fixed:
* ignore case when checking against SNI server names.
[bnc#798733]
*
httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff reworked to reflect the upstream changes. This will prevent the 'Invalid URI in request OPTIONS *' messages in the error log. [bnc#722545]
* new sysconfig variable APACHE_DISABLE_SSL_COMPRESSION, if set to on,
OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache process, openssl will then transparently disable compression. This change affects start script and sysconfig fillup template. Default is on, SSL compression disabled.
Please see mod_deflate for compressed transfer at http layer. [bnc#782956]
Security Issue references:
* CVE-2012-4557
>
* CVE-2012-2687
>
* CVE-2012-0883
>
* CVE-2012-0021
>
Affected Software/OS:
'Apache' package(s) on SUSE Linux Enterprise Server 11-SP2, SUSE Linux Enterprise Software Development Kit 11-SP2.
Solution:
Please install the updated package(s).
CVSS Score:
6.9
CVSS Vector:
AV:L/AC:M/Au:N/C:C/I:C/A:C
|
