openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

- complete overhaul of this package, with update to 2.7.5.

- ruleset update to 2.2.8-0-g0f07cbb.

- new configuration framework private to mod_security2:
/etc/apache2/conf.d/mod_security2.conf loads
0_setup.conf, then /etc/apache2/mod_security2.d/*.conf ,
as set up based on advice in
/etc/apache2/conf.d/mod_security2.conf Your
configuration starting point is

- !!! Please note that mod_unique_id is needed for
mod_security2 to run!

- modsecurity-apache_2.7.5-build_fix_pcre.diff changes
erroneaous linker parameter, preventing rpath in shared

- fixes contained for the following bugs :

- CVE-2009-5031, CVE-2012-2751 [bnc#768293] request
parameter handling

- [bnc#768293] multi-part bypass, minor threat

- CVE-2013-1915 [bnc#813190] XML external entity

- CVE-2012-4528 [bnc#789393] rule bypass

- CVE-2013-2765 [bnc#822664] NULL pointer dereference

- new from 2.5.9 to 2.7.5, only major changes :

- GPLv2 replaced by Apache License v2

- rules are not part of the source tarball any longer, but
maintaned upstream externally, and included in this

- documentation was externalized to a wiki. Package
contains the FAQ and the reference manual in html form.

- renamed the term 'Encryption' in directives that
actually refer to hashes. See CHANGES file for more

- new directive SecXmlExternalEntity, default off

- byte conversion issues on s390x when logging fixed.

- many small issues fixed that were discovered by a
Coverity scanner

- updated reference manual

- wrong time calculation when logging for some timezones

- replaced time-measuring mechanism with finer granularity
for measured request/answer phases. (Stopwatch remains
for compat.)

- cookie parser memory leak fix

- parsing of quoted strings in multipart
Content-Disposition headers fixed.

- SDBM deadlock fix

- @rsub memory leak fix

- cookie separator code improvements

- build failure fixes

- compile time option --enable-htaccess-config (set)

See also :

Solution :

Update the affected apache2-mod_security2 packages.

Risk factor :

High / CVSS Base Score : 7.5

Family: SuSE Local Security Checks

Nessus Plugin ID: 75113 ()

Bugtraq ID:

CVE ID: CVE-2009-5031

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now