{"affected":[{"ecosystem_specific":{"binaries":[{"apache2":"2.2.34-70.12.1","apache2-devel":"2.2.34-70.12.1","apache2-doc":"2.2.34-70.12.1","apache2-example-pages":"2.2.34-70.12.1","apache2-prefork":"2.2.34-70.12.1","apache2-utils":"2.2.34-70.12.1","apache2-worker":"2.2.34-70.12.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Software Development Kit 11 SP4","name":"apache2","purl":"pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.2.34-70.12.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache2":"2.2.34-70.12.1","apache2-devel":"2.2.34-70.12.1","apache2-doc":"2.2.34-70.12.1","apache2-example-pages":"2.2.34-70.12.1","apache2-prefork":"2.2.34-70.12.1","apache2-utils":"2.2.34-70.12.1","apache2-worker":"2.2.34-70.12.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Point of Sale 11 SP3","name":"apache2","purl":"pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.2.34-70.12.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache2":"2.2.34-70.12.1","apache2-devel":"2.2.34-70.12.1","apache2-doc":"2.2.34-70.12.1","apache2-example-pages":"2.2.34-70.12.1","apache2-prefork":"2.2.34-70.12.1","apache2-utils":"2.2.34-70.12.1","apache2-worker":"2.2.34-70.12.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 11 SP3-LTSS","name":"apache2","purl":"pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.2.34-70.12.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache2":"2.2.34-70.12.1","apache2-devel":"2.2.34-70.12.1","apache2-doc":"2.2.34-70.12.1","apache2-example-pages":"2.2.34-70.12.1","apache2-prefork":"2.2.34-70.12.1","apache2-utils":"2.2.34-70.12.1","apache2-worker":"2.2.34-70.12.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 11 SP3-TERADATA","name":"apache2","purl":"pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATA"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.2.34-70.12.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache2":"2.2.34-70.12.1","apache2-doc":"2.2.34-70.12.1","apache2-example-pages":"2.2.34-70.12.1","apache2-prefork":"2.2.34-70.12.1","apache2-utils":"2.2.34-70.12.1","apache2-worker":"2.2.34-70.12.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 11 SP4","name":"apache2","purl":"pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.2.34-70.12.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache2":"2.2.34-70.12.1","apache2-doc":"2.2.34-70.12.1","apache2-example-pages":"2.2.34-70.12.1","apache2-prefork":"2.2.34-70.12.1","apache2-utils":"2.2.34-70.12.1","apache2-worker":"2.2.34-70.12.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 11 SP4","name":"apache2","purl":"pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.2.34-70.12.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"apache2-devel":"2.2.34-70.12.1"}]},"package":{"ecosystem":"SUSE:Studio Onsite 1.3","name":"apache2","purl":"pkg:rpm/suse/apache2&distro=SUSE%20Studio%20Onsite%201.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.2.34-70.12.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for apache2 fixes the following issues:\n\n- Allow disabling SNI on proxy connections using 'SetEnv proxy-disable-sni 1' in the configuration files. (bsc#1052830)\n- Allow ECDH again in mod_ssl, it had been incorrectly disabled with the 2.2.34 update. (bsc#1064561)\n\nFollowing security issue has been fixed:\n\n- CVE-2017-9798: A use-after-free in the OPTIONS command could be used by attackers to disclose memory of the apache server process, when htaccess uses incorrect Limit statement. (bsc#1058058)\n\nAdditionally, references to the following security issues, fixed by the previous version-update of apache2\nto Apache HTTPD 2.2.34 have been added:\n\n- CVE-2017-7668: The HTTP strict parsing introduced a bug in token list parsing, which allowed ap_find_token() to\n  search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may\n  have be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. (bsc#1045061)\n- CVE-2017-3169: mod_ssl may have de-referenced a NULL pointer when third-party modules call \n  ap_hook_process_connection() during an HTTP request to an HTTPS port allowing for DoS. (bsc#1045062)\n- CVE-2017-3167: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may have\n  lead to authentication requirements being bypassed. (bsc#1045065)\n- CVE-2017-7679: mod_mime could have read one byte past the end of a buffer when sending a malicious Content-Type\n  response header. (bsc#1045060)\n","id":"SUSE-SU-2017:2907-1","modified":"2017-10-30T14:55:59Z","published":"2017-10-30T14:55:59Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2017/suse-su-20172907-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1045060"},{"type":"REPORT","url":"https://bugzilla.suse.com/1045061"},{"type":"REPORT","url":"https://bugzilla.suse.com/1045062"},{"type":"REPORT","url":"https://bugzilla.suse.com/1045065"},{"type":"REPORT","url":"https://bugzilla.suse.com/1052830"},{"type":"REPORT","url":"https://bugzilla.suse.com/1058058"},{"type":"REPORT","url":"https://bugzilla.suse.com/1064561"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2009-2699"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2010-0425"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2012-0021"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2014-0118"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-3167"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-3169"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7668"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7679"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-9798"}],"related":["CVE-2009-2699","CVE-2010-0425","CVE-2012-0021","CVE-2014-0118","CVE-2017-3167","CVE-2017-3169","CVE-2017-7668","CVE-2017-7679","CVE-2017-9798"],"summary":"Security update for apache2","upstream":["CVE-2009-2699","CVE-2010-0425","CVE-2012-0021","CVE-2014-0118","CVE-2017-3167","CVE-2017-3169","CVE-2017-7668","CVE-2017-7679","CVE-2017-9798"]}