Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
patchinfo.4685
_patchinfo
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _patchinfo of Package patchinfo.4685
<patchinfo incident="4685"> <issue id="1043484" tracker="bnc">Horizon with SSL fails to load cipher suite</issue> <issue id="1043607" tracker="bnc">httpd-2.4.16 produces incorrect cipher suite string</issue> <issue id="1035829" tracker="bnc">gensslcert (apache2-utils) fails</issue> <issue id="1041830" tracker="bnc">Upgrading the apache2 package alone does not check dependency resolution and removes symlink</issue> <issue id="1045060" tracker="bnc">VUL-0: CVE-2017-7679: apache2: httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can buffer over-read</issue> <issue id="1045062" tracker="bnc">VUL-0: CVE-2017-3169: apache2: in httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26 mod_sslmay have a dereference NULL pointer issue.</issue> <issue id="1045065" tracker="bnc">VUL-0: CVE-2017-3167: apache2: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26 ap_get_basic_auth_pw() can lead to authentication requirements bypass</issue> <issue id="1048576" tracker="bnc">VUL-0: CVE-2017-9788: apache2: Uninitialized memory reflection in mod_auth_digest</issue> <issue id="2017-3167" tracker="cve" /> <issue id="2017-3169" tracker="cve" /> <issue id="2017-7679" tracker="cve" /> <issue id="2017-9788" tracker="cve" /> <category>security</category> <rating>moderate</rating> <packager>pgajdos</packager> <description> This update for apache2 provides the following fixes: Security issues fixed: * CVE-2017-9788: The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. (bsc#1048576) * CVE-2017-7679: mod_mime could have read one byte past the end of a buffer when sending a malicious Content-Type response header leading to information leak or crash. (bsc#1045060) * CVE-2017-3169: mod_ssl may have dereferenced a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port leading to crash. (bsc#1045062) * CVE-2017-3167: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may have lead to authentication requirements being bypassed. (bsc#1045065) Non-security issues fixed: - Re-order cipher suites to keep exclusion list at the end. (bsc#1043484, bsc#1043607) - Remove /usr/bin/http2 link only during apache2 package uninstall, not upgrade. (bsc#1041830) - In gensslcert, use hostname when fqdn is too long. (bsc#1035829) </description> <summary>Recommended update for apache2</summary> </patchinfo>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor