Security update for apache2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2051-1 Final 1 1 2019-09-02T10:33:13Z current 2019-09-02T10:33:13Z 2019-09-02T10:33:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: Security issues fixed: - CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering (bsc#1145575). - CVE-2019-10081: Fixed mod_http2 that is vulnerable to memory corruption on early pushes (bsc#1145742). - CVE-2019-10082: Fixed mod_http2 that is vulnerable to read-after-free in h2 connection shutdown (bsc#1145741). - CVE-2019-10092: Fixed limited cross-site scripting in mod_proxy (bsc#1145740). - CVE-2019-10097: Fixed mod_remoteip stack buffer overflow and NULL pointer dereference (bsc#1145739). - CVE-2019-10098: Fixed mod_rewrite configuration vulnerablility to open redirect (bsc#1145738). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2051 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3/#2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3 E-Mail link for openSUSE-SU-2019:2051-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1145575 SUSE Bug 1145575 https://bugzilla.suse.com/1145738 SUSE Bug 1145738 https://bugzilla.suse.com/1145739 SUSE Bug 1145739 https://bugzilla.suse.com/1145740 SUSE Bug 1145740 https://bugzilla.suse.com/1145741 SUSE Bug 1145741 https://bugzilla.suse.com/1145742 SUSE Bug 1145742 https://www.suse.com/security/cve/CVE-2019-10081/ SUSE CVE CVE-2019-10081 page https://www.suse.com/security/cve/CVE-2019-10082/ SUSE CVE CVE-2019-10082 page https://www.suse.com/security/cve/CVE-2019-10092/ SUSE CVE CVE-2019-10092 page https://www.suse.com/security/cve/CVE-2019-10097/ SUSE CVE CVE-2019-10097 page https://www.suse.com/security/cve/CVE-2019-10098/ SUSE CVE CVE-2019-10098 page https://www.suse.com/security/cve/CVE-2019-9517/ SUSE CVE CVE-2019-9517 page openSUSE Leap 15.0 openSUSE Leap 15.1 apache2-2.4.33-lp151.8.6.1 apache2-devel-2.4.33-lp151.8.6.1 apache2-doc-2.4.33-lp151.8.6.1 apache2-event-2.4.33-lp151.8.6.1 apache2-example-pages-2.4.33-lp151.8.6.1 apache2-prefork-2.4.33-lp151.8.6.1 apache2-utils-2.4.33-lp151.8.6.1 apache2-worker-2.4.33-lp151.8.6.1 apache2-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.0 apache2-devel-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.0 apache2-doc-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.0 apache2-event-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.0 apache2-example-pages-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.0 apache2-prefork-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.0 apache2-utils-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.0 apache2-worker-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.0 apache2-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.1 apache2-devel-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.1 apache2-doc-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.1 apache2-event-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.1 apache2-example-pages-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.1 apache2-prefork-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.1 apache2-utils-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.1 apache2-worker-2.4.33-lp151.8.6.1 as a component of openSUSE Leap 15.1 HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. CVE-2019-10081 openSUSE Leap 15.0:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-worker-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-worker-2.4.33-lp151.8.6.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3/#2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3 https://www.suse.com/security/cve/CVE-2019-10081.html CVE-2019-10081 https://bugzilla.suse.com/1145742 SUSE Bug 1145742 In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. CVE-2019-10082 openSUSE Leap 15.0:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-worker-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-worker-2.4.33-lp151.8.6.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3/#2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3 https://www.suse.com/security/cve/CVE-2019-10082.html CVE-2019-10082 https://bugzilla.suse.com/1145741 SUSE Bug 1145741 In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. CVE-2019-10092 openSUSE Leap 15.0:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-worker-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-worker-2.4.33-lp151.8.6.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3/#2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3 https://www.suse.com/security/cve/CVE-2019-10092.html CVE-2019-10092 https://bugzilla.suse.com/1145740 SUSE Bug 1145740 https://bugzilla.suse.com/1182703 SUSE Bug 1182703 In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients. CVE-2019-10097 openSUSE Leap 15.0:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-worker-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-worker-2.4.33-lp151.8.6.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3/#2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3 https://www.suse.com/security/cve/CVE-2019-10097.html CVE-2019-10097 https://bugzilla.suse.com/1145739 SUSE Bug 1145739 In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. CVE-2019-10098 openSUSE Leap 15.0:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-worker-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-worker-2.4.33-lp151.8.6.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3/#2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3 https://www.suse.com/security/cve/CVE-2019-10098.html CVE-2019-10098 https://bugzilla.suse.com/1145738 SUSE Bug 1145738 https://bugzilla.suse.com/1168407 SUSE Bug 1168407 Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. CVE-2019-9517 openSUSE Leap 15.0:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.0:apache2-worker-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-devel-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-doc-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-event-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-example-pages-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-prefork-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-utils-2.4.33-lp151.8.6.1 openSUSE Leap 15.1:apache2-worker-2.4.33-lp151.8.6.1 important 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3/#2PR3ITGMIPGWWX4VYKKICQKSZVW5QUW3 https://www.suse.com/security/cve/CVE-2019-9517.html CVE-2019-9517 https://bugzilla.suse.com/1145575 SUSE Bug 1145575 https://bugzilla.suse.com/1146097 SUSE Bug 1146097