Overview

File _patchinfo of Package patchinfo.4048

<patchinfo incident="4048">
  <issue id="938723" tracker="bnc">VUL-1: CVE-2015-3185: apache2: replacement of ap_some_auth_required with new ap_some_authn_required and ap_force_authn</issue>
  <issue id="938728" tracker="bnc">VUL-0: apache2: CVE-2015-3183: apache2: chunk header parsing defect</issue>
  <issue id="931723" tracker="bnc">VUL-1: apache2: The Logjam Attack / weakdh.org</issue>
  <issue id="CVE-2015-3185" tracker="cve" />
  <issue id="CVE-2015-3183" tracker="cve" />
  <issue id="CVE-2015-4000" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>kstreitova</packager>
  <description>
Apache2 was updated to fix security issues.

- CVE-2015-3185: The ap_some_auth_required function in server/request.c in
  the Apache HTTP Server 2.4.x did not consider that a Require directive may
  be associated with an authorization setting rather than an authentication
  setting, which allows remote attackers to bypass intended access
  restrictions in opportunistic circumstances by leveraging the presence
  of a module that relies on the 2.2 API behavior. [bnc#938723]

- CVE-2015-3183: The chunked transfer coding implementation in the
  Apache HTTP Server did not properly parse chunk headers, which allows
  remote attackers to conduct HTTP request smuggling attacks via a crafted
  request, related to mishandling of large chunk-size values and invalid
  chunk-extension characters in modules/http/http_filters.c. [bnc#938728]

On openSUSE 13.1:
- CVE-2015-4000: Fix Logjam vulnerability: change the default SSLCipherSuite
  cipherstring to disable export cipher suites and deploy Ephemeral Elliptic-Curve
  Diffie-Hellman (ECDHE) ciphers. Adjust 'gensslcert' script to 
  generate a strong and unique Diffie Hellman Group and append it
  to the server certificate file [bnc#931723].
</description>
  <summary>Security update for apache2</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places