Security update for apache2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0908-1 Final 1 1 2021-06-24T09:52:47Z current 2021-06-24T09:52:47Z 2021-06-24T09:52:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following issues: - fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression - fixed CVE-2021-31618 [bsc#1186924]: NULL pointer dereference on specially crafted HTTP/2 request - fixed CVE-2020-13950 [bsc#1187040]: mod_proxy NULL pointer dereference - fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest - fixed CVE-2021-26690 [bsc#1186923]: mod_session NULL pointer dereference in parser - fixed CVE-2021-26691 [bsc#1187017]: Heap overflow in mod_session The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-908 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F32WQ7K6A45WOBEDFMGMRXDC2F2SL3IF/ E-Mail link for openSUSE-SU-2021:0908-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1186922 SUSE Bug 1186922 https://bugzilla.suse.com/1186923 SUSE Bug 1186923 https://bugzilla.suse.com/1186924 SUSE Bug 1186924 https://bugzilla.suse.com/1187017 SUSE Bug 1187017 https://bugzilla.suse.com/1187040 SUSE Bug 1187040 https://bugzilla.suse.com/1187174 SUSE Bug 1187174 https://www.suse.com/security/cve/CVE-2020-13950/ SUSE CVE CVE-2020-13950 page https://www.suse.com/security/cve/CVE-2020-35452/ SUSE CVE CVE-2020-35452 page https://www.suse.com/security/cve/CVE-2021-26690/ SUSE CVE CVE-2021-26690 page https://www.suse.com/security/cve/CVE-2021-26691/ SUSE CVE CVE-2021-26691 page https://www.suse.com/security/cve/CVE-2021-30641/ SUSE CVE CVE-2021-30641 page https://www.suse.com/security/cve/CVE-2021-31618/ SUSE CVE CVE-2021-31618 page openSUSE Leap 15.2 apache2-2.4.43-lp152.2.15.1 apache2-devel-2.4.43-lp152.2.15.1 apache2-doc-2.4.43-lp152.2.15.1 apache2-event-2.4.43-lp152.2.15.1 apache2-example-pages-2.4.43-lp152.2.15.1 apache2-prefork-2.4.43-lp152.2.15.1 apache2-utils-2.4.43-lp152.2.15.1 apache2-worker-2.4.43-lp152.2.15.1 apache2-2.4.43-lp152.2.15.1 as a component of openSUSE Leap 15.2 apache2-devel-2.4.43-lp152.2.15.1 as a component of openSUSE Leap 15.2 apache2-doc-2.4.43-lp152.2.15.1 as a component of openSUSE Leap 15.2 apache2-event-2.4.43-lp152.2.15.1 as a component of openSUSE Leap 15.2 apache2-example-pages-2.4.43-lp152.2.15.1 as a component of openSUSE Leap 15.2 apache2-prefork-2.4.43-lp152.2.15.1 as a component of openSUSE Leap 15.2 apache2-utils-2.4.43-lp152.2.15.1 as a component of openSUSE Leap 15.2 apache2-worker-2.4.43-lp152.2.15.1 as a component of openSUSE Leap 15.2 Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service CVE-2020-13950 openSUSE Leap 15.2:apache2-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-devel-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-doc-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-event-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-example-pages-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-prefork-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-utils-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-worker-2.4.43-lp152.2.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F32WQ7K6A45WOBEDFMGMRXDC2F2SL3IF/ https://www.suse.com/security/cve/CVE-2020-13950.html CVE-2020-13950 https://bugzilla.suse.com/1187040 SUSE Bug 1187040 Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow CVE-2020-35452 openSUSE Leap 15.2:apache2-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-devel-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-doc-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-event-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-example-pages-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-prefork-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-utils-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-worker-2.4.43-lp152.2.15.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F32WQ7K6A45WOBEDFMGMRXDC2F2SL3IF/ https://www.suse.com/security/cve/CVE-2020-35452.html CVE-2020-35452 https://bugzilla.suse.com/1186922 SUSE Bug 1186922 https://bugzilla.suse.com/1187933 SUSE Bug 1187933 Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service CVE-2021-26690 openSUSE Leap 15.2:apache2-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-devel-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-doc-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-event-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-example-pages-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-prefork-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-utils-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-worker-2.4.43-lp152.2.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F32WQ7K6A45WOBEDFMGMRXDC2F2SL3IF/ https://www.suse.com/security/cve/CVE-2021-26690.html CVE-2021-26690 https://bugzilla.suse.com/1186923 SUSE Bug 1186923 https://bugzilla.suse.com/1187933 SUSE Bug 1187933 In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow CVE-2021-26691 openSUSE Leap 15.2:apache2-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-devel-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-doc-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-event-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-example-pages-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-prefork-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-utils-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-worker-2.4.43-lp152.2.15.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F32WQ7K6A45WOBEDFMGMRXDC2F2SL3IF/ https://www.suse.com/security/cve/CVE-2021-26691.html CVE-2021-26691 https://bugzilla.suse.com/1187017 SUSE Bug 1187017 https://bugzilla.suse.com/1187933 SUSE Bug 1187933 Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' CVE-2021-30641 openSUSE Leap 15.2:apache2-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-devel-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-doc-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-event-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-example-pages-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-prefork-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-utils-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-worker-2.4.43-lp152.2.15.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F32WQ7K6A45WOBEDFMGMRXDC2F2SL3IF/ https://www.suse.com/security/cve/CVE-2021-30641.html CVE-2021-30641 https://bugzilla.suse.com/1187174 SUSE Bug 1187174 Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released. CVE-2021-31618 openSUSE Leap 15.2:apache2-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-devel-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-doc-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-event-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-example-pages-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-prefork-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-utils-2.4.43-lp152.2.15.1 openSUSE Leap 15.2:apache2-worker-2.4.43-lp152.2.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/F32WQ7K6A45WOBEDFMGMRXDC2F2SL3IF/ https://www.suse.com/security/cve/CVE-2021-31618.html CVE-2021-31618 https://bugzilla.suse.com/1186924 SUSE Bug 1186924 https://bugzilla.suse.com/1187933 SUSE Bug 1187933