Recommended update for apache2
This update for apache2 fixes several issues.
These security issues were fixed:
- CVE-2017-9789: When under stress (closing many connections) the HTTP/2
handling code would sometimes access memory after it has been freed, resulting
in potentially erratic behaviour (bsc#1048575).
- CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2
to dereference a NULL pointer and crash the server process (bsc#1045160).
These non-security issues were fixed:
- Use the full path to a2enmod and a2dismod in the apache-22-24-upgrade script (bsc#1042037)
- Fall back to 'localhost' as hostname in gensslcert (bsc#1057406)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
-
Submitted by
Petr Gajdos (pgajdos)
Fixed bugs
bnc#1045160
VUL-1: CVE-2017-7659: apache2: httpd: mod_http2 NULL pointer dereference
bnc#1048575
VUL-0: CVE-2017-9789: apache2: httpd: Read after free in mod_http2
bnc#1057406
gensslcert (apache2-utils) fails with no hostname
bnc#1042037
Apache upgrade runs /usr/share/apache2/apache-22-24-upgrade and issues a2enmod: command not found
