Overview Details
update for apache2

- httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff
addresses CVE-2012-0053: error responses can expose cookies when
no custom 400 error code ErrorDocument is configured. [bnc#743743]
- httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff:
scoreboard corruption (shared mem segment) by child causes
crash of privileged parent (invalid free()) during shutdown.
This is rated low impact. Notice:
https://svn.apache.org/viewvc?view=revision&revision=1230065
makes a change to the struct global_score, which causes binary
incompatibility. The change in above patch only goes as far as
the binary compatibility allows; the vulnerability is completely
fixed, though. CVE-2012-0031 [bnc#741243]

- /etc/init.d/apache2: new argument "check-reload". Exits 1 if
httpd2 runs on deleted binaries such as after package update,
else 0. This is used by equally modified /etc/logrotate.d/apache2,
which uses "/etc/init.d/apache2 check-reload" in its prerotate
script.
These changes prevent httpd2 from being (gracefully) reloaded
by logrotate, executed by cron, if new binaries have been
installed. Instead, a warning is printed on stdout and is being
logged to the syslogs. If this happens, apache's logs are NOT
rotated, and the running processes are left untouched. This
limits the maximum damage of log rotation to unrotated logs.
"/etc/init.d/apache2 restart" (or "rcapache2 restart") must be
executed manually in such a case. [bnc#728876]
- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff: Fix for
integer overflow in server/util.c also known as CVE-2011-3607.
[bnc#729181]
- enable build and configuration of mod_reqtimeout.c module by
default in /etc/sysconfig/apache2 (APACHE_MODULES=...). This
does not change already existing sysconfig files, the module
is only activated via sysconfig if this package is installed
without pre-existing sysconfig file. See new file
/etc/apache2/mod_reqtimeout.conf for configurables.
Helps against Slowloris.pl DoS vulnerability that consists of
eating up request slots by very slowly submitting the request.
Note that mod_reqtimeout limits requests based on a lower
boundary of request speed, not an upper boundary!
CVE-2007-6750 [bnc#738855].

Fixed bugs
bnc#729181
integer overflow leading to a heap buffer overflow
bnc#743743
cookie exposure due to error responses
bnc#741243
possible crash on shutdown due to flaw in scoreboard handling
bnc#738855
DoS via partial HTTP requests
bnc#728876
update to apache2-2.2.12-1.18.1 breaks graceful reload
CVE-CVE-2011-3607
CVE-CVE-2007-6750
CVE-CVE-2012-0053
CVE-CVE-2012-0031
Selected Binaries
openSUSE Build Service is sponsored by
Places