bugbot adjusting priority

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-07-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58198

Affected packages:

SLE-11-SP3: apache2-mod_security2

ping

SLE11 package was submitted. No notice about this yet in this bugzilla, though.

package seen and checked in, thanks

openSUSE packages WIP

This is an autogenerated message for OBS integration:
This bug (871309) was mentioned in
https://build.opensuse.org/request/show/243188 13.1+12.3 / apache2-mod_security2
https://build.opensuse.org/request/show/243191 Evergreen:11.4 / apache2-mod_security2.openSUSE_Evergreen_11.4

This is an autogenerated message for OBS integration:
This bug (871309) was mentioned in
https://build.opensuse.org/request/show/243188 13.1+12.3 / apache2-mod_security2
https://build.opensuse.org/request/show/243191 Evergreen:11.4 / apache2-mod_security2.openSUSE_Evergreen_11.4

A regression between which versions (RPM/SLE/openSUSE)?

investigating...

(In reply to comment #12)
> A regression between which versions (RPM/SLE/openSUSE)?


fletcher:~ # cat /etc/SuSE-release 
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 3

fletcher:~ # rpm -q apache2-mod_security2 
apache2-mod_security2-2.7.1-0.2.16.1

I cannot follow this - my tests have been successfully completed.
Shu Kui, which exact version of the apache2 package are you using?

/usr/lib/apache2/mod_security2.so is not a file that is contained in the 
package mentioned above. 
The setup is hosed, I'm afraid.
Either you test the 32bit stack, or the 64bit stack. Both mixed does not make sense.

ok, it's getting worse, unfortunately. On a 32bit stack consisting of glibc-32bit, libapr1(i586), libapr-util1 (i586), all apache packages 32bit arch, the daemon fails to load with the symbol error above.
Looking for m_strstr() in the libraries.

Corrected packages will be submitted shortly.

The problem was indeed that m_strstr() cannot be used in the context.
In fact, the compilation should have failed.
Shu Kui, could you reproduce the error with a clean setup?

(In reply to comment #19)
> The problem was indeed that m_strstr() cannot be used in the context.
> In fact, the compilation should have failed.
> Shu Kui, could you reproduce the error with a clean setup?

I think it's a clean setup, because I've uninstall apache related packages and re-install them.

# rpm -qa| grep apache
apache2-2.2.12-1.46.1
apache2-mod_security2-2.7.1-0.2.16.1
apache2-utils-2.2.12-1.46.1
apache2-example-pages-2.2.12-1.46.1
apache2-doc-2.2.12-1.46.1
apache2-prefork-2.2.12-1.46.1

the regression testcase and test log will be attached.

openSUSE-SU-2014:0969-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 859916,869105,869106,871309,887765,887768
CVE References: CVE-2013-5705,CVE-2013-6438,CVE-2014-0098,CVE-2014-0226,CVE-2014-0231
Sources used:
openSUSE 11.4 (src):    apache2-2.2.17-80.1, apache2-mod_security2-2.7.5-16.1

SUSE-SU-2014:0972-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 871309
CVE References: CVE-2013-5705
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    apache2-mod_security2-2.7.1-0.2.18.1
SUSE Linux Enterprise Server 11 SP3 (src):    apache2-mod_security2-2.7.1-0.2.18.1

openSUSE-SU-2014:1047-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 871309
CVE References: CVE-2013-5705
Sources used:
openSUSE 13.1 (src):    apache2-mod_security2-2.8.0-4.4.1
openSUSE 12.3 (src):    apache2-mod_security2-2.7.5-2.10.1

released