Bug 716634

Summary: VUL-0: CVE-2011-3192: apache2: remote denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: chris.randles, mattehle, mcihar, meissner, mkubecek, mrueckert, security-team, stephan.barth, ursula.brueckner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2011-09-08 11:55:20 UTC
+++ This bug was initially created as a clone of internal tracker Bug #713966,
as that one had private customer information +++

There was a posting on full-disclosure recently about an apache2 remote denial of service vulnerability, see:

  * http://marc.info/?t=131379269200002&r=1&w=2
  * http://marc.info/?t=131409787700005&r=1&w=2

Apache 2.2, 2.0 and 1.3 are affected, so all shipping Apache versions on our product.

Apache updates for:
SUSE Linux Enterprise 11 SP1
SUSE Linux Enterprise 10 SP3
SUSE Linux Enterprise 10 SP4
openSUSE 11.3,11.4
were released, please see http://support.novell.com/security/cve/CVE-2011-3192.html for the released versions.


Mitigation methods:
   - Apply one of the various filtering suggestions from the Apache project:
     http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110826103531.998348F82@minotaur.apache.org%3E
   
   - Restrict the ulimit of the apache processes to avoid running the system
     out of memory. This requires usage of a forking Apache worker, like apache2-prefork.
Comment 5 Ludwig Nussel 2011-12-13 09:00:50 UTC
all released