SUSE-SU-2022:0928-1
- Source
- https://www.suse.com/support/update/announcement/2022/suse-su-20220928-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:0928-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2022:0928-1
- Related
- Published
- 2022-03-21T18:34:20Z
- Modified
- 2022-03-21T18:34:20Z
- Summary
- Security update for apache2
- Details
-
This update for apache2 fixes the following issues:
- CVE-2022-23943: heap out-of-bounds write in mod_sed (bsc#1197098).
- CVE-2022-22720: HTTP request smuggling due to incorrect error handling (bsc#1197095).
- CVE-2022-22719: use of uninitialized value of in r:parsebody in mod_lua (bsc#1197091).
- CVE-2022-22721: possible buffer overflow with very large or unlimited LimitXMLRequestBody (bsc#1197096).
Also TLS 1.3 support and openssl 1.1.1 usage was disabled again as it caused regressions in various usage scenarios due to the combination between openssl 1.0.2 and 1.1.1 linkage without correct symbol versions by other libraries / tools. (bsc#1197301 bsc#1197177 bsc#1196249)
- References
-
- https://www.suse.com/support/update/announcement/2022/suse-su-20220928-1/
- https://bugzilla.suse.com/1196249
- https://bugzilla.suse.com/1197091
- https://bugzilla.suse.com/1197095
- https://bugzilla.suse.com/1197096
- https://bugzilla.suse.com/1197098
- https://bugzilla.suse.com/1197177
- https://bugzilla.suse.com/1197301
- https://www.suse.com/security/cve/CVE-2022-22719
- https://www.suse.com/security/cve/CVE-2022-22720
- https://www.suse.com/security/cve/CVE-2022-22721
- https://www.suse.com/security/cve/CVE-2022-23943
Affected packages
SUSE:Linux Enterprise Software Development Kit 12 SP5 / apache2
Package
- Name
- apache2
- Purl
- purl:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
SUSE:Linux Enterprise Server 12 SP5 / apache2
Package
- Name
- apache2
- Purl
- purl:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5