SuSE 11.2 / 11.3 Security Update : Apache2 (SAT Patch Numbers 8137 / 8138)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 11 host is missing one or more security updates.

Description :

This collective update for Apache provides the following fixes :

- Make sure that input that has already arrived on the
socket is not discarded during a non-blocking read
(read(2) returns 0 and errno is set to -EAGAIN).
(bnc#815621)

- Close the connection just before an attempted
re-negotiation if data has been read with pipelining.
This is done by resetting the keepalive status.
(bnc#815621)

- Reset the renegotiation status of a client<->server
connection to RENEG_INIT to prevent falsely assumed
status. (bnc#791794)

- 'OPTIONS *' internal requests are intercepted by a dummy
filter that kicks in for the OPTIONS method. Apple
iPrint uses 'OPTIONS *' to upgrade the connection to
TLS/1.0 following RFC 2817. For compatibility, check if
an Upgrade request header is present and skip the filter
if yes. (bnc#791794)

- Sending a MERGE request against a URI handled by
mod_dav_svn with the source href (sent as part of the
request body as XML) pointing to a URI that is not
configured for DAV will trigger a segfault. (bnc#829056,
CVE-2013-1896)

- Client data written to the RewriteLog must have terminal
escape sequences escaped. (bnc#829057, CVE-2013-1862)

See also :

https://bugzilla.novell.com/show_bug.cgi?id=791794
https://bugzilla.novell.com/show_bug.cgi?id=815621
https://bugzilla.novell.com/show_bug.cgi?id=829056
https://bugzilla.novell.com/show_bug.cgi?id=829057
http://support.novell.com/security/cve/CVE-2013-1862.html
http://support.novell.com/security/cve/CVE-2013-1896.html

Solution :

Apply SAT patch number 8137 / 8138 as appropriate.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 69474 ()

Bugtraq ID:

CVE ID: CVE-2013-1862
CVE-2013-1896

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now