Overview

File _patchinfo of Package patchinfo.3239

<patchinfo incident="3239">
  <issue id="1035829" tracker="bnc">gensslcert (apache2-utils) fails</issue>
  <issue id="980663" tracker="bnc">apache systemd notify related log message</issue>
  <issue id="1045062" tracker="bnc">VUL-0: CVE-2017-3169: apache2: in httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26 mod_sslmay have a dereference NULL pointer issue.</issue>
  <issue id="1045060" tracker="bnc">VUL-0: CVE-2017-7679: apache2:  httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can buffer over-read</issue>
  <issue id="1048576" tracker="bnc">VUL-0: CVE-2017-9788: apache2: Uninitialized memory reflection in mod_auth_digest</issue>
  <issue id="1045065" tracker="bnc">VUL-0: CVE-2017-3167: apache2: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26 ap_get_basic_auth_pw() can lead to authentication requirements bypass</issue>
  <issue id="1041830" tracker="bnc">Upgrading the apache2 package alone does not check dependency resolution and removes symlink</issue>
  <issue id="1058058" tracker="bnc">VUL-0: EMBARGOED: CVE-2017-9798: apache2: information leak via OPTIONS</issue>
  <issue id="2017-9798" tracker="cve" />
  <issue id="2017-9788" tracker="cve" />
  <issue id="2017-3167" tracker="cve" />
  <issue id="2017-7679" tracker="cve" />
  <issue id="2017-3169" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>pgajdos</packager>
  <description>This update for apache2 fixes several issues.

These security issues were fixed:
    
- CVE-2017-9798: Prevent use-after-free use of memory that allowed for an
  information leak via OPTIONS (bsc#1058058)
- CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest could have
  lead to leakage of potentially confidential information, and a segfault in
  other cases resulting in DoS (bsc#1048576).
- CVE-2017-7679: mod_mime could have read one byte past the end of a buffer
  when sending a malicious Content-Type response header (bsc#1045060).
- CVE-2017-3169: mod_ssl may dereferenced a NULL pointer when third-party
  modules call ap_hook_process_connection() during an HTTP request to an HTTPS
  port allowing for DoS (bsc#1045062).
- CVE-2017-3167: Use of the ap_get_basic_auth_pw() by third-party modules
  outside of the authentication phase may have lead to authentication
  requirements being bypassed (bsc#1045065).

These non-security issues were fixed:

- remove /usr/bin/http2 symlink only during apache2 package 
  uninstall, not upgrade (bsc#1041830)
- gensslcert: use hostname when fqdn is too long (bsc#1035829)
- add NotifyAccess=all to service file (bsc#980663)
</description>
  <summary>Security update for apache2</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places