apache2 security update
This update fixes several security issues in the Apache2
webserver.
CVE-2011-3368, CVE-2011-4317: This update also includes
several fixes for a mod_proxy reverse exposure via
RewriteRule or ProxyPassMatch directives.
CVE-2011-3607: Integer overflow in ap_pregsub function
resulting in a heap based buffer overflow could potentially
allow local attackers to gain privileges
In addition to that the following changes were made:
- new template file:
/etc/apache2/vhosts.d/vhost-ssl.template allow TLSv1
only, browser match stuff commented out.
- rc script /etc/init.d/apache2: handle reload with deleted
binaries by message to stdout only, but refrain from
sending signals.
-
Submitted by
Adrian Schröter (adrianSuSE)
- Version 5520
Fixed bugs
bnc#722545
VUL-1: CVE-2011-3368: apache2: mod_proxy reverse proxy exposure
bnc#729181
VUL-0: CVE-2011-3607: apache2: integer overflow leading to a heap buffer overflow
CVE#CVE-2011-3368
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which a
CVE#CVE-2011-4317
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches
CVE#CVE-2011-3607
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnv
