Overview

File _patchinfo of Package patchinfo.4686

<patchinfo incident="4686">
  <issue id="1035829" tracker="bnc">gensslcert (apache2-utils) fails</issue>
  <issue id="1041830" tracker="bnc">L3: Upgrading the apache2 package alone does not check dependency resolution and removes symlink</issue>
  <issue id="1045060" tracker="bnc">VUL-0: CVE-2017-7679: apache2: httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can buffer over-read</issue>
  <issue id="1045062" tracker="bnc">VUL-0: CVE-2017-3169: apache2: in httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26 mod_sslmay have a dereference NULL pointer issue.</issue>
  <issue id="1045065" tracker="bnc">VUL-0: CVE-2017-3167: apache2: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26 ap_get_basic_auth_pw() can lead to authentication requirements bypass</issue>
  <issue id="2017-3167" tracker="cve">VUL-0: CVE-2017-3167: apache2: In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26 ap_get_basic_auth_pw() can lead to authentication requirements bypass</issue>
  <issue id="2017-3169" tracker="cve">VUL-0: CVE-2017-3169: apache2: in httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26 mod_sslmay have a dereference NULL pointer issue.</issue>
  <issue id="2017-7679" tracker="cve">VUL-0: CVE-2017-7679: apache2: httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can buffer over-readVUL-0: CVE-2017-7679: apache2: httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can buffer over-read</issue>
  <category>security</category>
  <rating>moderate</rating>
  <packager>pgajdos</packager>
  <description>
This update for apache2 provides the following fixes:

Security issues fixed:

- CVE-2017-3167: In Apache use of httpd ap_get_basic_auth_pw() outside
  of the authentication phase could lead to authentication requirements
  bypass (bsc#1045065)
- CVE-2017-3169: In mod_ssl may have a dereference NULL pointer issue
  which could lead to denial of service (bsc#1045062)
- CVE-2017-7679: In mod_mime can buffer over-read by 1 byte, potentially
  leading to a crash or information disclosure (bsc#1045060)

Non-Security issues fixed:

- Remove /usr/bin/http2 symlink only during apache2 package uninstall, not upgrade. (bsc#1041830)
- In gensslcert, use hostname when fqdn is too long. (bsc#1035829)

</description>
  <summary>Security update for apache2</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places