Oval Definition:oval:org.opensuse.security:def:58977
Revision Date:2020-12-01Version:1
Title:Security update for apache2 (Moderate)
Description:

This update for apache2 fixes the following issues:

* CVE-2018-1283: when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a \'Session\' header leading to unexpected behavior [bsc#1086814].

* CVE-2018-1301: due to an out of bound access after a size limit being reached by reading the HTTP header, a specially crafted request could lead to remote denial of service. [bsc#1086817] * CVE-2018-1303: a specially crafted HTTP request header could lead to crash due to an out of bound read while preparing data to be cached in shared memory.[bsc#1086813] * CVE-2017-15715: a regular expression could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. leading to corruption of uploaded files.[bsc#1086774] * CVE-2018-1312: when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. [bsc#1086775] * CVE-2017-15710: mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. [bsc#1086820] * CVE-2018-1302: when an HTTP/2 stream was destroyed after being handled, it could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. [bsc#1086820]
Family:unixClass:patch
Status:Reference(s):1026236
1047044
1047898
1050120
1050606
1051446
1052468
1052550
1052710
1052720
1052731
1052732
1055065
1055323
1055434
1055855
1058640
1059751
1074123
1074969
1074973
1074975
1086774
1086775
1086813
1086814
1086817
1086820
1098998
1102682
1106383
1114988
1119553
1119554
1119555
1119556
1119557
1119558
1119947
1123157
1126140
1126141
1126192
1126195
1126196
1126198
1126201
1127400
1129623
1133191
1133495
1136446
1136935
1137597
1137825
1138461
1139459
1144903
1145559
1151377
1151506
1153108
1153158
1153161
1154043
1154162
1155574
1156482
1159814
1162108
1173100
1173659
1173661
1173869
1173942
1173963
1174247
CVE-2015-4000
CVE-2017-10800
CVE-2017-11141
CVE-2017-11529
CVE-2017-11644
CVE-2017-11724
CVE-2017-12434
CVE-2017-12564
CVE-2017-12667
CVE-2017-12670
CVE-2017-12672
CVE-2017-12675
CVE-2017-13060
CVE-2017-13146
CVE-2017-13648
CVE-2017-13658
CVE-2017-14326
CVE-2017-14533
CVE-2017-15710
CVE-2017-15715
CVE-2017-17881
CVE-2017-18022
CVE-2018-12359
CVE-2018-12360
CVE-2018-12362
CVE-2018-12363
CVE-2018-12364
CVE-2018-12365
CVE-2018-12366
CVE-2018-12368
CVE-2018-1283
CVE-2018-1301
CVE-2018-1302
CVE-2018-1303
CVE-2018-1312
CVE-2018-16884
CVE-2018-19967
CVE-2018-4437
CVE-2018-4438
CVE-2018-4441
CVE-2018-4442
CVE-2018-4443
CVE-2018-4464
CVE-2018-5156
CVE-2018-5188
CVE-2018-5246
CVE-2018-5247
CVE-2018-5390
CVE-2019-10220
CVE-2019-11477
CVE-2019-11478
CVE-2019-11487
CVE-2019-11500
CVE-2019-12387
CVE-2019-12855
CVE-2019-14895
CVE-2019-14901
CVE-2019-16746
CVE-2019-17133
CVE-2019-19447
CVE-2019-2974
CVE-2019-3846
CVE-2019-6778
CVE-2019-9458
CVE-2019-9824
CVE-2020-11668
CVE-2020-14331
CVE-2020-1712
SUSE-SU-2018:0130-1
SUSE-SU-2018:1161-1
SUSE-SU-2018:2322-2
SUSE-SU-2019:0921-1
SUSE-SU-2019:2066-1
SUSE-SU-2019:2230-1
SUSE-SU-2019:2453-1
SUSE-SU-2019:2454-1
SUSE-SU-2020:0331-1
SUSE-SU-2020:2492-1
Platform(s):openSUSE Leap 15.0
openSUSE Leap 15.1
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server 12 SP2-BCL
SUSE Linux Enterprise Server 12 SP2-ESPOS
SUSE Linux Enterprise Server 12 SP2-LTSS
SUSE Linux Enterprise Server 12 SP3
SUSE Linux Enterprise Server 12 SP3-ESPOS
SUSE Linux Enterprise Server 12 SP3-LTSS
SUSE Linux Enterprise Server 12 SP3-TERADATA
SUSE Linux Enterprise Server 12 SP4
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud Crowbar 8
Product(s):
Definition Synopsis
  • openSUSE Leap 15.0 is installed
  • AND Package Information
  • tar-1.29-lp150.1 is installed
  • OR tar-lang-1.29-lp150.1 is installed
  • OR tar-rmt-1.29-lp150.1 is installed
  • Definition Synopsis
  • openSUSE Leap 15.1 is installed
  • AND Package Information
  • apache2-mod_php7-7.2.5-lp151.6.3 is installed
  • OR php7-7.2.5-lp151.6.3 is installed
  • OR php7-bcmath-7.2.5-lp151.6.3 is installed
  • OR php7-bz2-7.2.5-lp151.6.3 is installed
  • OR php7-calendar-7.2.5-lp151.6.3 is installed
  • OR php7-ctype-7.2.5-lp151.6.3 is installed
  • OR php7-curl-7.2.5-lp151.6.3 is installed
  • OR php7-dba-7.2.5-lp151.6.3 is installed
  • OR php7-devel-7.2.5-lp151.6.3 is installed
  • OR php7-dom-7.2.5-lp151.6.3 is installed
  • OR php7-embed-7.2.5-lp151.6.3 is installed
  • OR php7-enchant-7.2.5-lp151.6.3 is installed
  • OR php7-exif-7.2.5-lp151.6.3 is installed
  • OR php7-fastcgi-7.2.5-lp151.6.3 is installed
  • OR php7-fileinfo-7.2.5-lp151.6.3 is installed
  • OR php7-firebird-7.2.5-lp151.6.3 is installed
  • OR php7-fpm-7.2.5-lp151.6.3 is installed
  • OR php7-ftp-7.2.5-lp151.6.3 is installed
  • OR php7-gd-7.2.5-lp151.6.3 is installed
  • OR php7-gettext-7.2.5-lp151.6.3 is installed
  • OR php7-gmp-7.2.5-lp151.6.3 is installed
  • OR php7-iconv-7.2.5-lp151.6.3 is installed
  • OR php7-intl-7.2.5-lp151.6.3 is installed
  • OR php7-json-7.2.5-lp151.6.3 is installed
  • OR php7-ldap-7.2.5-lp151.6.3 is installed
  • OR php7-mbstring-7.2.5-lp151.6.3 is installed
  • OR php7-mysql-7.2.5-lp151.6.3 is installed
  • OR php7-odbc-7.2.5-lp151.6.3 is installed
  • OR php7-opcache-7.2.5-lp151.6.3 is installed
  • OR php7-openssl-7.2.5-lp151.6.3 is installed
  • OR php7-pcntl-7.2.5-lp151.6.3 is installed
  • OR php7-pdo-7.2.5-lp151.6.3 is installed
  • OR php7-pear-7.2.5-lp151.6.3 is installed
  • OR php7-pear-Archive_Tar-7.2.5-lp151.6.3 is installed
  • OR php7-pgsql-7.2.5-lp151.6.3 is installed
  • OR php7-phar-7.2.5-lp151.6.3 is installed
  • OR php7-posix-7.2.5-lp151.6.3 is installed
  • OR php7-readline-7.2.5-lp151.6.3 is installed
  • OR php7-shmop-7.2.5-lp151.6.3 is installed
  • OR php7-snmp-7.2.5-lp151.6.3 is installed
  • OR php7-soap-7.2.5-lp151.6.3 is installed
  • OR php7-sockets-7.2.5-lp151.6.3 is installed
  • OR php7-sodium-7.2.5-lp151.6.3 is installed
  • OR php7-sqlite-7.2.5-lp151.6.3 is installed
  • OR php7-sysvmsg-7.2.5-lp151.6.3 is installed
  • OR php7-sysvsem-7.2.5-lp151.6.3 is installed
  • OR php7-sysvshm-7.2.5-lp151.6.3 is installed
  • OR php7-testresults-7.2.5-lp151.6.3 is installed
  • OR php7-tidy-7.2.5-lp151.6.3 is installed
  • OR php7-tokenizer-7.2.5-lp151.6.3 is installed
  • OR php7-wddx-7.2.5-lp151.6.3 is installed
  • OR php7-xmlreader-7.2.5-lp151.6.3 is installed
  • OR php7-xmlrpc-7.2.5-lp151.6.3 is installed
  • OR php7-xmlwriter-7.2.5-lp151.6.3 is installed
  • OR php7-xsl-7.2.5-lp151.6.3 is installed
  • OR php7-zip-7.2.5-lp151.6.3 is installed
  • OR php7-zlib-7.2.5-lp151.6.3 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2 is installed
  • AND Package Information
  • ImageMagick-6.8.8.1-71.26 is installed
  • OR libMagickCore-6_Q16-1-6.8.8.1-71.26 is installed
  • OR libMagickWand-6_Q16-1-6.8.8.1-71.26 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2-BCL is installed
  • AND Package Information
  • MozillaFirefox-52.9.0esr-109.38 is installed
  • OR MozillaFirefox-devel-52.9.0esr-109.38 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2-ESPOS is installed
  • AND Package Information
  • libjavascriptcoregtk-4_0-18-2.22.5-2.32 is installed
  • OR libwebkit2gtk-4_0-37-2.22.5-2.32 is installed
  • OR libwebkit2gtk3-lang-2.22.5-2.32 is installed
  • OR typelib-1_0-JavaScriptCore-4_0-2.22.5-2.32 is installed
  • OR typelib-1_0-WebKit2-4_0-2.22.5-2.32 is installed
  • OR typelib-1_0-WebKit2WebExtension-4_0-2.22.5-2.32 is installed
  • OR webkit2gtk-4_0-injected-bundles-2.22.5-2.32 is installed
  • OR webkit2gtk3-2.22.5-2.32 is installed
  • OR webkit2gtk3-devel-2.22.5-2.32 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP2-LTSS is installed
  • AND Package Information
  • apache2-2.4.23-29.18 is installed
  • OR apache2-doc-2.4.23-29.18 is installed
  • OR apache2-example-pages-2.4.23-29.18 is installed
  • OR apache2-prefork-2.4.23-29.18 is installed
  • OR apache2-utils-2.4.23-29.18 is installed
  • OR apache2-worker-2.4.23-29.18 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3 is installed
  • AND libtcnative-1-0-1.1.34-12 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-ESPOS is installed
  • AND Package Information
  • libjavascriptcoregtk-4_0-18-2.28.4-2.59 is installed
  • OR libwebkit2gtk-4_0-37-2.28.4-2.59 is installed
  • OR libwebkit2gtk3-lang-2.28.4-2.59 is installed
  • OR typelib-1_0-JavaScriptCore-4_0-2.28.4-2.59 is installed
  • OR typelib-1_0-WebKit2-4_0-2.28.4-2.59 is installed
  • OR typelib-1_0-WebKit2WebExtension-4_0-2.28.4-2.59 is installed
  • OR webkit2gtk-4_0-injected-bundles-2.28.4-2.59 is installed
  • OR webkit2gtk3-2.28.4-2.59 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-LTSS is installed
  • AND Package Information
  • MozillaFirefox-60.8.0-109.83 is installed
  • OR MozillaFirefox-translations-common-60.8.0-109.83 is installed
  • OR libfreebl3-3.44.1-58.28 is installed
  • OR libfreebl3-32bit-3.44.1-58.28 is installed
  • OR libfreebl3-hmac-3.44.1-58.28 is installed
  • OR libfreebl3-hmac-32bit-3.44.1-58.28 is installed
  • OR libsoftokn3-3.44.1-58.28 is installed
  • OR libsoftokn3-32bit-3.44.1-58.28 is installed
  • OR libsoftokn3-hmac-3.44.1-58.28 is installed
  • OR libsoftokn3-hmac-32bit-3.44.1-58.28 is installed
  • OR mozilla-nss-3.44.1-58.28 is installed
  • OR mozilla-nss-32bit-3.44.1-58.28 is installed
  • OR mozilla-nss-certs-3.44.1-58.28 is installed
  • OR mozilla-nss-certs-32bit-3.44.1-58.28 is installed
  • OR mozilla-nss-sysinit-3.44.1-58.28 is installed
  • OR mozilla-nss-sysinit-32bit-3.44.1-58.28 is installed
  • OR mozilla-nss-tools-3.44.1-58.28 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP3-TERADATA is installed
  • AND Package Information
  • ceph-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR ceph-common-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR libcephfs2-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR librados2-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR libradosstriper1-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR librbd1-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR librgw2-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR python-cephfs-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR python-rados-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR python-rbd-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • OR python-rgw-12.2.7+git.1531910353.c0ef85b854-2.12 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Server 12 SP4 is installed
  • AND Package Information
  • java-1_8_0-openjdk-1.8.0.181-27.26 is installed
  • OR java-1_8_0-openjdk-demo-1.8.0.181-27.26 is installed
  • OR java-1_8_0-openjdk-devel-1.8.0.181-27.26 is installed
  • OR java-1_8_0-openjdk-headless-1.8.0.181-27.26 is installed
  • Definition Synopsis
  • SUSE OpenStack Cloud 8 is installed
  • AND python-Twisted-15.2.1-9.5 is installed
  • Definition Synopsis
  • SUSE OpenStack Cloud Crowbar 8 is installed
  • AND Package Information
  • ruby2.1-rubygem-rails-html-sanitizer-1.0.3-8.8 is installed
  • OR rubygem-rails-html-sanitizer-1.0.3-8.8 is installed
  • BACK