SuSE 11.3 Security Update : apache2 (SAT Patch Number 10533)

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Synopsis :

The remote SuSE 11 host is missing one or more security updates.

Description :

The Apache2 webserver was updated to fix various issues.

The following feature was added :

- Provide support for the tunneling of web socket
connections to a backend websockets server.
(FATE#316880) The following security issues have been
fixed :

- The mod_headers module in the Apache HTTP Server 2.2.22
allowed remote attackers to bypass 'RequestHeader unset'
directives by placing a header in the trailer portion of
data sent with chunked transfer coding. The fix also
adds a 'MergeTrailers' directive to restore legacy
behavior. (CVE-2013-5704)

- The cache_merge_headers_out function in
modules/cache/cache_util.c in the mod_cache module in
the Apache HTTP Server allowed remote attackers to cause
a denial of service (NULL pointer dereference and
application crash) via an empty HTTP Content-Type
header. (CVE-2014-3581)

- Apache HTTP Server allowed remote attackers to obtain
sensitive information via (1) the ETag header, which
reveals the inode number, or (2) multipart MIME
boundary, which reveals child process IDs (PID). We so
far assumed that this not useful to attackers, the fix
is basically just reducing potential information leaks.

The following bugs have been fixed :

- Treat the 'server unavailable' condition as a transient
error with all LDAP SDKs. (bsc#904427)

- Fixed a segmentation fault at startup if the certs are
shared across > 1 server_rec. (bsc#907339)

See also :

Solution :

Apply SAT patch number 10533.

Risk factor :

Medium / CVSS Base Score : 5.0

Family: SuSE Local Security Checks

Nessus Plugin ID: 82657 ()

Bugtraq ID:

CVE ID: CVE-2003-1418

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now