| Description: | Summary:
The remote host is missing an update for the 'apache2' package(s) announced via the SUSE-SU-2013:0469-1 advisory.
Vulnerability Insight:
This Apache2 LTSS roll-up update for SUSE Linux Enterprise 10 SP3 LTSS fixes the following security issues and bugs:
* CVE-2012-4557: Denial of Service via special requests in mod_proxy_ajp
* CVE-2012-0883: improper LD_LIBRARY_PATH handling
* CVE-2012-2687: filename escaping problem
* CVE-2012-0031: Fixed a scoreboard corruption (shared mem segment) by child causes crash of privileged parent
(invalid free()) during shutdown.
* CVE-2012-0053: Fixed an issue in error responses that could expose 'httpOnly' cookies when no custom ErrorDocument is specified for status code 400'.
* The SSL configuration template has been adjusted not to suggested weak ciphers
*
CVE-2007-6750: The 'mod_reqtimeout' module was backported from Apache 2.2.21 to help mitigate the
'Slowloris' Denial of Service attack.
You need to enable the 'mod_reqtimeout' module in your existing apache configuration to make it effective,
e.g. in the APACHE_MODULES line in /etc/sysconfig/apache2.
* CVE-2011-3639, CVE-2011-3368, CVE-2011-4317: This update also includes several fixes for a mod_proxy reverse exposure via RewriteRule or ProxyPassMatch directives.
* CVE-2011-1473: Fixed the SSL renegotiation DoS by disabling renegotiation by default.
* CVE-2011-3607: Integer overflow in ap_pregsub function resulting in a heap based buffer overflow could potentially allow local attackers to gain privileges
Additionally, some non-security bugs have been fixed which are listed in the changelog file.
Security Issue references:
* CVE-2012-4557
>
* CVE-2012-2687
>
* CVE-2012-0883
>
* CVE-2012-0021
>
Affected Software/OS:
'apache2' package(s) on SUSE Linux Enterprise Server 10-SP3.
Solution:
Please install the updated package(s).
CVSS Score:
6.9
CVSS Vector:
AV:L/AC:M/Au:N/C:C/I:C/A:C
|
