openSUSE Security Update: security issues addressed, most notably the mod_security heap overflow known as CVE-2014-0226 ______________________________________________________________________________
An update that solves 5 vulnerabilities and has one errata is now available.
Description:
apache2: - ECC support was added to mod_ssl - fix for a race condition in mod_status known as CVE-2014-0226 can lead to information disclosure; mod_status is not active by default, and is normally only open for connects from localhost. - fix for bug known as CVE-2014-0098 that can crash the apache process if a specially designed cookie is sent to the server (log_cookie.c) - fix for crash bug in mod_dav known as CVE-2013-6438 - fix for a problem with non-responsive CGI scripts that would otherwise cause the server to stall and deny service. CVE-2014-0231, new configuration parameter CGIDScriptTimeout defaults to 60s.
apache2-mod_security2: - specially drafted chunked http requests allow an attacker to bypass filters configured in mod_security2. This vulnerability is known as CVE-2013-5705.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 11.4:
zypper in -t patch 2014-72
To bring your system up-to-date, use "zypper patch".