openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)

high Nessus Plugin ID 75113

Synopsis

The remote openSUSE host is missing a security update.

Description

- complete overhaul of this package, with update to 2.7.5.

- ruleset update to 2.2.8-0-g0f07cbb.

- new configuration framework private to mod_security2:
/etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf

- !!! Please note that mod_unique_id is needed for mod_security2 to run!

- modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object.

- fixes contained for the following bugs :

- CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling

- [bnc#768293] multi-part bypass, minor threat

- CVE-2013-1915 [bnc#813190] XML external entity vulnerability

- CVE-2012-4528 [bnc#789393] rule bypass

- CVE-2013-2765 [bnc#822664] NULL pointer dereference crash

- new from 2.5.9 to 2.7.5, only major changes :

- GPLv2 replaced by Apache License v2

- rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package.

- documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form.

- renamed the term 'Encryption' in directives that actually refer to hashes. See CHANGES file for more details.

- new directive SecXmlExternalEntity, default off

- byte conversion issues on s390x when logging fixed.

- many small issues fixed that were discovered by a Coverity scanner

- updated reference manual

- wrong time calculation when logging for some timezones fixed.

- replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.)

- cookie parser memory leak fix

- parsing of quoted strings in multipart Content-Disposition headers fixed.

- SDBM deadlock fix

- @rsub memory leak fix

- cookie separator code improvements

- build failure fixes

- compile time option --enable-htaccess-config (set)

Solution

Update the affected apache2-mod_security2 packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=768293

https://bugzilla.novell.com/show_bug.cgi?id=789393

https://bugzilla.novell.com/show_bug.cgi?id=813190

https://bugzilla.novell.com/show_bug.cgi?id=822664

https://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html

Plugin Details

Severity: High

ID: 75113

File Name: openSUSE-2013-641.nasl

Version: 1.7

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:apache2-mod_security2-debugsource, p-cpe:/a:novell:opensuse:apache2-mod_security2-debuginfo, p-cpe:/a:novell:opensuse:apache2-mod_security2, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/5/2013

Reference Information

CVE: CVE-2009-5031, CVE-2012-2751, CVE-2012-4528, CVE-2013-1915, CVE-2013-2765