Bugzilla – Bug 1178074
CVE-2020-11993 not actually fixed?
Last modified: 2021-01-12 12:16:46 UTC
Hello, this advisory claims that CVE-2020-11993 has been fixed in apache2 for 15.1: https://www.suse.com/support/update/announcement/2020/suse-su-20202344-1/ But, the SPEC file in the Leap_15.1_Update maintenance project[1] contains this: # CVE-2020-11993 [bsc#1175070], CVE-2020-9490 [bsc#1175071] Patch137: apache2-mod_http2-1.15.14.patch [...] #%patch137 -p1 The fact that the %patch137 macro is commented does not look right. Thanks Carsten [1] https://build.opensuse.org/package/view_file/openSUSE:Maintenance:14670/apache2.openSUSE_Leap_15.1_Update/apache2.spec?expand=1
(In reply to Carsten Wolff from comment #0) > Hello, > > this advisory claims that CVE-2020-11993 has been fixed in apache2 for 15.1: > https://www.suse.com/support/update/announcement/2020/suse-su-20202344-1/ > > But, the SPEC file in the Leap_15.1_Update maintenance project[1] contains > this: > # CVE-2020-11993 [bsc#1175070], CVE-2020-9490 [bsc#1175071] > Patch137: apache2-mod_http2-1.15.14.patch > [...] > #%patch137 -p1 > > The fact that the %patch137 macro is commented does not look right. > > Thanks > Carsten > > [1] > https://build.opensuse.org/package/view_file/openSUSE:Maintenance:14670/ > apache2.openSUSE_Leap_15.1_Update/apache2.spec?expand=1 Thanks for your report. You seem right. We will look into it.
I can see that the comment out only exists in SLE15 the rest codestreams are OK.
Thanks for review, package was submitted.
home:pgajdos:apache-test:after looks good. Reassigning to security team. Apologize for this error.
SUSE-SU-2020:3067-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1175070,1175071,1178074 CVE References: CVE-2020-11993,CVE-2020-9490 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): apache2-2.4.33-3.41.1 SUSE Linux Enterprise Server 15-LTSS (src): apache2-2.4.33-3.41.1 SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): apache2-2.4.33-3.41.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): apache2-2.4.33-3.41.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): apache2-2.4.33-3.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released for sle15, updates also in 15.x QA queue
openSUSE-SU-2020:1792-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1175070,1175071,1178074 CVE References: CVE-2020-11993,CVE-2020-9490 JIRA References: Sources used: openSUSE Leap 15.1 (src): apache2-2.4.33-lp151.8.21.1