Detections
Analytics

openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1336-1)

high Nessus Plugin ID 75112

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

- complete overhaul of this package, with update to 2.7.5.

 - ruleset update to 2.2.8-0-g0f07cbb.

- new configuration framework private to mod_security2:
 /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf

 - !!! Please note that mod_unique_id is needed for mod_security2 to run!

 - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object.

 - fixes contained for the following bugs :

 - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling

 - [bnc#768293] multi-part bypass, minor threat

 - CVE-2013-1915 [bnc#813190] XML external entity vulnerability

 - CVE-2012-4528 [bnc#789393] rule bypass

 - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash

 - new from 2.5.9 to 2.7.5, only major changes :

 - GPLv2 replaced by Apache License v2

 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package.

 - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form.

 - renamed the term 'Encryption' in directives that actually refer to hashes. See CHANGES file for more details.

 - new directive SecXmlExternalEntity, default off

 - byte conversion issues on s390x when logging fixed.

 - many small issues fixed that were discovered by a Coverity scanner

 - updated reference manual

 - wrong time calculation when logging for some timezones fixed.

 - replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.)

 - cookie parser memory leak fix

 - parsing of quoted strings in multipart Content-Disposition headers fixed.

 - SDBM deadlock fix

 - @rsub memory leak fix

 - cookie separator code improvements

 - build failure fixes

 - compile time option --enable-htaccess-config (set)

Solution

Update the affected apache2-mod_security2 packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=768293

https://bugzilla.novell.com/show_bug.cgi?id=789393

https://bugzilla.novell.com/show_bug.cgi?id=813190

https://bugzilla.novell.com/show_bug.cgi?id=822664

https://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html

Plugin Details

Severity: High

ID: 75112

File Name: openSUSE-2013-640.nasl

Version: 1.7

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:apache2-mod_security2, p-cpe:/a:novell:opensuse:apache2-mod_security2-debuginfo, p-cpe:/a:novell:opensuse:apache2-mod_security2-debugsource, cpe:/o:novell:opensuse:12.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/5/2013

Reference Information

CVE: CVE-2009-5031, CVE-2012-2751, CVE-2012-4528, CVE-2013-1915, CVE-2013-2765