Bug 716634 - VUL-0: CVE-2011-3192: apache2: remote denial of service
VUL-0: CVE-2011-3192: apache2: remote denial of service
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-09-08 11:55 UTC by Marcus Meissner
Modified: 2011-12-13 09:00 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2011-09-08 11:55:20 UTC
+++ This bug was initially created as a clone of internal tracker Bug #713966,
as that one had private customer information +++

There was a posting on full-disclosure recently about an apache2 remote denial of service vulnerability, see:

  * http://marc.info/?t=131379269200002&r=1&w=2
  * http://marc.info/?t=131409787700005&r=1&w=2

Apache 2.2, 2.0 and 1.3 are affected, so all shipping Apache versions on our product.

Apache updates for:
SUSE Linux Enterprise 11 SP1
SUSE Linux Enterprise 10 SP3
SUSE Linux Enterprise 10 SP4
openSUSE 11.3,11.4
were released, please see http://support.novell.com/security/cve/CVE-2011-3192.html for the released versions.


Mitigation methods:
   - Apply one of the various filtering suggestions from the Apache project:
     http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110826103531.998348F82@minotaur.apache.org%3E
   
   - Restrict the ulimit of the apache processes to avoid running the system
     out of memory. This requires usage of a forking Apache worker, like apache2-prefork.
Comment 5 Ludwig Nussel 2011-12-13 09:00:50 UTC
all released