Overview

File _patchinfo of Package patchinfo.5776

<patchinfo incident="5776">
  <issue id="1045160" tracker="bnc">VUL-1: CVE-2017-7659: apache2:  httpd: mod_http2 NULL pointer dereference</issue>
  <issue id="1048575" tracker="bnc">VUL-0: CVE-2017-9789: apache2: httpd: Read after free in mod_http2</issue>
  <issue id="2017-7659" tracker="cve" />
  <issue id="2017-9789" tracker="cve" />
  <issue id="1057406" tracker="bnc">gensslcert (apache2-utils) fails with no hostname</issue>
  <issue id="1042037" tracker="bnc">Apache upgrade runs /usr/share/apache2/apache-22-24-upgrade and issues a2enmod: command not found</issue>
  <category>security</category>
  <rating>moderate</rating>
  <packager>pgajdos</packager>
  <description>This update for apache2 fixes several issues.

These security issues were fixed:

- CVE-2017-9789: When under stress (closing many connections) the HTTP/2
  handling code would sometimes access memory after it has been freed, resulting
  in potentially erratic behaviour (bsc#1048575).
- CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2
  to dereference a NULL pointer and crash the server process (bsc#1045160).

These non-security issues were fixed:

- Use the full path to a2enmod and a2dismod in the apache-22-24-upgrade script (bsc#1042037)
- Fall back to 'localhost' as hostname in gensslcert (bsc#1057406)
</description>
  <summary>Recommended update for apache2</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places