Overview

File _patchinfo of Package patchinfo.863

<patchinfo incident="863">
  <issue id="915666" tracker="bnc">Apache source is inconsistent</issue>
  <issue id="911159" tracker="bnc">Bug in IfModule directives in ssl-global.conf</issue>
  <issue id="444878" tracker="bnc">reduce apache2 rebuild volatileness</issue>
  <issue id="927845" tracker="bnc">VUL-1: CVE-2014-8111: apache2-mod_jk: Tomcat mod_jk information leak due to incorrect JkMount/JkUnmount directives processing </issue>
  <issue id="CVE-2014-8111" tracker="cve" />
<issue tracker="bnc" id="869790">split-logfile2 doesn't work anymore</issue>
<issue tracker="bnc" id="930228">AuthLDAPBindDN causing LDAP authz failures when using connection pool</issue>
<issue tracker="bnc" id="931002">yast http server opens udp 443 port</issue>
<issue tracker="bnc" id="931723">VUL-1: apache2: The Logjam Attack / weakdh.org</issue>
<issue tracker="bnc" id="938723">VUL-1: CVE-2015-3185: apache2: replacement of ap_some_auth_required with new ap_some_authn_required and ap_force_authn</issue>
<issue tracker="bnc" id="938728">VUL-0: CVE-2015-3183: apache2: chunk header parsing defect</issue>
<issue tracker="bnc" id="939516">VUL-0: CVE-2015-3185: apache2: Mixed anonymous/authenticated path-based authz with httpd 2.4</issue>
<issue tracker="bnc" id="949766">gensslcert from apache2 without options is not taking the right hostname</issue>
<issue tracker="bnc" id="949771">gensslcert -h wrong documentation</issue>
<issue tracker="cve" id="CVE-2015-3183"/>
<issue tracker="cve" id="CVE-2015-3185"/>
<issue tracker="cve" id="CVE-2015-4000"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>pgajdos</packager>
  <description>
The Apache2 webserver was updated to fix several issues:

Security issues fixed:
- The chunked transfer coding implementation in the Apache HTTP Server
  did not properly parse chunk headers, which allowed remote attackers to
  conduct HTTP request smuggling attacks via a crafted request, related
  to mishandling of large chunk-size values and invalid chunk-extension
  characters in modules/http/http_filters.c. [bsc#938728, CVE-2015-3183]
- The LOGJAM security issue was addressed by: [bnc#931723 CVE-2015-4000]
  * changing the SSLCipherSuite cipherstring to disable export cipher
    suites and deploy Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE)
    ciphers.
  * Adjust 'gensslcert' script to generate a strong and unique Diffie
    Hellman Group and append it to the server certificate file.
- The ap_some_auth_required function in server/request.c in the Apache
  HTTP Server 2.4.x did not consider that a Require directive may be
  associated with an authorization setting rather than an authentication
  setting, which allowed remote attackers to bypass intended access
  restrictions in opportunistic circumstances by leveraging the presence
  of a module that relies on the 2.2 API behavior.
  [bnc#938723 bnc#939516 CVE-2015-3185]
- Tomcat mod_jk information leak due to incorrect JkMount/JkUnmount
  directives processing [bnc#927845 CVE-2014-8111] 

Other bugs fixed:
- Now provides a suse_maintenance_mmn_# [bnc#915666].
- Hardcoded modules in the %files [bnc#444878].
- Fixed the IfModule directive around SSLSessionCache [bnc#911159].
- allow only TCP ports in Yast2 firewall files [bnc#931002]
- fixed a regression when some LDAP searches or comparisons might be done 
  with the wrong credentials when a backend connection is reused
  [bnc#930228]
- Fixed split-logfile2 script [bnc#869790]
- remove the changed MODULE_MAGIC_NUMBER_MINOR from which confuses
  modules the way that they expect functionality that our apache does
  not provide [bnc#915666]
- gensslcert: CN now defaults to `hostname -f` [bnc#949766], fix
  help [bnc#949771]
</description>
  <summary>Security update for apache2</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places