| Description: | Summary:
The remote host is missing an update for the 'Apache' package(s) announced via the SUSE-SU-2013:0830-1 advisory.
Vulnerability Insight:
Apache2 has been updated to fix multiple security issues:
*
CVE-2012-4557: Denial of Service via special requests in mod_proxy_ajp
*
CVE-2012-0883: improper LD_LIBRARY_PATH handling
*
CVE-2012-2687: filename escaping problem
*
CVE-2012-4558: Multiple cross-site scripting (XSS)
vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server potentially allowed remote attackers to inject arbitrary web script or HTML via a crafted string.
*
CVE-2012-3499: Multiple cross-site scripting (XSS)
vulnerabilities in the Apache HTTP Server allowed remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1)
mod_imagemap, (2) mod_info, (3) mod_ldap, (4)
mod_proxy_ftp, and (5) mod_status modules.
Additionally, some non-security bugs have been fixed:
*
ignore case when checking against SNI server names.
[bnc#798733]
*
httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff rewor ked to reflect the upstream changes. This will prevent the
'Invalid URI in request OPTIONS *' messages in the error log. [bnc#722545]
*
new sysconfig variable APACHE_DISABLE_SSL_COMPRESSION, if set to on,
OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache process, openssl will then transparently disable compression. This change affects start script and sysconfig fillup template. Default is on, SSL compression disabled.
Please see mod_deflate for compressed transfer at http layer. [bnc#782956]
Security Issue references:
* CVE-2012-3499
>
* CVE-2012-4558
>
* CVE-2012-4557
>
* CVE-2012-2687
>
* CVE-2012-0883
>
* CVE-2012-0021
>
Affected Software/OS:
'Apache' package(s) on SUSE Linux Enterprise Server 11-SP1.
Solution:
Please install the updated package(s).
CVSS Score:
6.9
CVSS Vector:
AV:L/AC:M/Au:N/C:C/I:C/A:C
|
