openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)
High Nessus Plugin ID 75113
SynopsisThe remote openSUSE host is missing a security update.
Description- complete overhaul of this package, with update to 2.7.5.
- ruleset update to 2.2.8-0-g0f07cbb.
- new configuration framework private to mod_security2:
/etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf
- !!! Please note that mod_unique_id is needed for mod_security2 to run!
- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object.
- fixes contained for the following bugs :
- CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling
- [bnc#768293] multi-part bypass, minor threat
- CVE-2013-1915 [bnc#813190] XML external entity vulnerability
- CVE-2012-4528 [bnc#789393] rule bypass
- CVE-2013-2765 [bnc#822664] NULL pointer dereference crash
- new from 2.5.9 to 2.7.5, only major changes :
- GPLv2 replaced by Apache License v2
- rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package.
- documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form.
- renamed the term 'Encryption' in directives that actually refer to hashes. See CHANGES file for more details.
- new directive SecXmlExternalEntity, default off
- byte conversion issues on s390x when logging fixed.
- many small issues fixed that were discovered by a Coverity scanner
- updated reference manual
- wrong time calculation when logging for some timezones fixed.
- replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.)
- cookie parser memory leak fix
- parsing of quoted strings in multipart Content-Disposition headers fixed.
- SDBM deadlock fix
- @rsub memory leak fix
- cookie separator code improvements
- build failure fixes
- compile time option --enable-htaccess-config (set)
SolutionUpdate the affected apache2-mod_security2 packages.