openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)

High Nessus Plugin ID 75113


The remote openSUSE host is missing a security update.


- complete overhaul of this package, with update to 2.7.5.

- ruleset update to 2.2.8-0-g0f07cbb.

- new configuration framework private to mod_security2:
/etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf

- !!! Please note that mod_unique_id is needed for mod_security2 to run!

- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object.

- fixes contained for the following bugs :

- CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling

- [bnc#768293] multi-part bypass, minor threat

- CVE-2013-1915 [bnc#813190] XML external entity vulnerability

- CVE-2012-4528 [bnc#789393] rule bypass

- CVE-2013-2765 [bnc#822664] NULL pointer dereference crash

- new from 2.5.9 to 2.7.5, only major changes :

- GPLv2 replaced by Apache License v2

- rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package.

- documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form.

- renamed the term 'Encryption' in directives that actually refer to hashes. See CHANGES file for more details.

- new directive SecXmlExternalEntity, default off

- byte conversion issues on s390x when logging fixed.

- many small issues fixed that were discovered by a Coverity scanner

- updated reference manual

- wrong time calculation when logging for some timezones fixed.

- replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.)

- cookie parser memory leak fix

- parsing of quoted strings in multipart Content-Disposition headers fixed.

- SDBM deadlock fix

- @rsub memory leak fix

- cookie separator code improvements

- build failure fixes

- compile time option --enable-htaccess-config (set)


Update the affected apache2-mod_security2 packages.

See Also

Plugin Details

Severity: High

ID: 75113

File Name: openSUSE-2013-641.nasl

Version: $Revision: 1.3 $

Type: local

Agent: unix

Published: 2014/06/13

Modified: 2018/02/02

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:apache2-mod_security2, p-cpe:/a:novell:opensuse:apache2-mod_security2-debuginfo, p-cpe:/a:novell:opensuse:apache2-mod_security2-debugsource, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/08/05

Reference Information

CVE: CVE-2009-5031, CVE-2012-2751, CVE-2012-4528, CVE-2013-1915, CVE-2013-2765

OSVDB: 83178, 86408, 91948, 93687