openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1336-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

- complete overhaul of this package, with update to 2.7.5.

- ruleset update to 2.2.8-0-g0f07cbb.

- new configuration framework private to mod_security2:
/etc/apache2/conf.d/mod_security2.conf loads
/usr/share/apache2-mod_security2/rules/modsecurity_crs_1
0_setup.conf, then /etc/apache2/mod_security2.d/*.conf ,
as set up based on advice in
/etc/apache2/conf.d/mod_security2.conf Your
configuration starting point is
/etc/apache2/conf.d/mod_security2.conf

- !!! Please note that mod_unique_id is needed for
mod_security2 to run!

- modsecurity-apache_2.7.5-build_fix_pcre.diff changes
erroneaous linker parameter, preventing rpath in shared
object.

- fixes contained for the following bugs :

- CVE-2009-5031, CVE-2012-2751 [bnc#768293] request
parameter handling

- [bnc#768293] multi-part bypass, minor threat

- CVE-2013-1915 [bnc#813190] XML external entity
vulnerability

- CVE-2012-4528 [bnc#789393] rule bypass

- CVE-2013-2765 [bnc#822664] NULL pointer dereference
crash

- new from 2.5.9 to 2.7.5, only major changes :

- GPLv2 replaced by Apache License v2

- rules are not part of the source tarball any longer, but
maintaned upstream externally, and included in this
package.

- documentation was externalized to a wiki. Package
contains the FAQ and the reference manual in html form.

- renamed the term 'Encryption' in directives that
actually refer to hashes. See CHANGES file for more
details.

- new directive SecXmlExternalEntity, default off

- byte conversion issues on s390x when logging fixed.

- many small issues fixed that were discovered by a
Coverity scanner

- updated reference manual

- wrong time calculation when logging for some timezones
fixed.

- replaced time-measuring mechanism with finer granularity
for measured request/answer phases. (Stopwatch remains
for compat.)

- cookie parser memory leak fix

- parsing of quoted strings in multipart
Content-Disposition headers fixed.

- SDBM deadlock fix

- @rsub memory leak fix

- cookie separator code improvements

- build failure fixes

- compile time option --enable-htaccess-config (set)

See also :

http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html
https://bugzilla.novell.com/show_bug.cgi?id=768293
https://bugzilla.novell.com/show_bug.cgi?id=789393
https://bugzilla.novell.com/show_bug.cgi?id=813190
https://bugzilla.novell.com/show_bug.cgi?id=822664

Solution :

Update the affected apache2-mod_security2 packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 75112 ()

Bugtraq ID:

CVE ID: CVE-2009-5031
CVE-2012-2751
CVE-2012-4528
CVE-2013-1915
CVE-2013-2765

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now