First Last Prev Next    This bug is not in your last search results.
Bug 918352 - (CVE-2015-0228) VUL-1: CVE-2015-0228: apache2: mod_lua websocket DoS
(CVE-2015-0228)
VUL-1: CVE-2015-0228: apache2: mod_lua websocket DoS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/113930/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-18 09:56 UTC by Johannes Segitz
Modified: 2016-04-27 20:18 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
upstream patch (1.59 KB, patch)
2015-02-23 17:46 UTC, Kristyna Streitova 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-18 09:56:31 UTC 
CVE-2015-0228

mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash.

Fixed in 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0228
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0228.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228
Comment 1 Swamp Workflow Management 2015-02-18 23:00:43 UTC 
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2015-02-23 17:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (918352) was mentioned in
https://build.opensuse.org/request/show/287371 13.2 / apache2
Comment 3 Kristyna Streitova 2015-02-23 17:46:12 UTC 
Created attachment 624214 [details]
upstream patch

The following table expresses which products are affected (just Apache 2.4.x) and the current state of submissions:

+---------------+---------+----------+----------------+
|    product    | version | affected |    #sr/#mr     |
+---------------+---------+----------+----------------+
| SLE 11        | 2.2.12  | no       | -              |
| SLE 12        | 2.4.10  | yes      | wait for SWAMP |
| openSUSE 13.1 | 2.4.6   | no *     | -              |
| openSUSE 13.2 | 2.4.10  | yes      | #287371        |
| Factory       | 2.4.11  | yes      | #287376        |
+---------------+---------+----------+----------------+

* mod_lua Websocket support was added later than Apache 2.4.6 was released therefore there isn't any affected code yet.
Comment 5 Bernhard Wiedemann 2015-02-25 21:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (918352) was mentioned in
https://build.opensuse.org/request/show/287777 Factory / apache2
Comment 6 Swamp Workflow Management 2015-03-04 11:05:07 UTC 
openSUSE-SU-2015:0418-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 918352
CVE References: CVE-2015-0228
Sources used:
openSUSE 13.2 (src):    apache2-2.4.10-16.1
Comment 7 Kristyna Streitova 2015-03-13 15:23:24 UTC 
There is nothing to do yet. I reassigned this bug to the security-team until the submission for SLE12 is needed.
Comment 8 Kristyna Streitova 2015-04-02 16:56:27 UTC 
Submitted to SLE12: https://build.suse.de/request/show/54654
Comment 9 Swamp Workflow Management 2015-06-01 07:06:33 UTC 
SUSE-SU-2015:0974-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 792309,871310,899836,909715,918352,923090
CVE References: CVE-2013-5704,CVE-2014-3581,CVE-2014-8109,CVE-2015-0228
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    apache2-2.4.10-12.1
SUSE Linux Enterprise Server 12 (src):    apache2-2.4.10-12.1
Comment 10 Marcus Meissner 2015-10-02 07:14:36 UTC 
was released a while ago.
First Last Prev Next    This bug is not in your last search results.