Bugzilla – Bug 938723
VUL-1: CVE-2015-3185: apache2: replacement of ap_some_auth_required with new ap_some_authn_required and ap_force_authn
Last modified: 2017-09-13 15:46:49 UTC
rh#1243888 http://www.apache.org/dist/httpd/CHANGES_2.4.16 Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook. [Ben Reser] References: https://bugzilla.redhat.com/show_bug.cgi?id=1243888 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3185 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3185.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-08-07. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62232
Fixes: ===== - 2.4.x fix svn: http://svn.apache.org/viewvc?view=revision&revision=1684525 - 2.4.x fix git: https://github.com/apache/httpd/commit/c3f98ce69b9c8ddc936380e9d7cf03feca809558 (they have a wrong CVE there but it's the same patch as in svn) Affected products (only 2.4.x branch is affected by this issue): ================= | Product | Version | |---------------|---------| | SLE12 | 2.4.10 | | openSUSE 13.1 | 2.4.6 | | openSUSE 13.2 | 2.4.10 |
Created attachment 642959 [details] 2.4.x fix for CVE-2015-3185 A patch for apache 2.4.x
*** Bug 939516 has been marked as a duplicate of this bug. ***
SLE12 fix submitted. See mr#64852 (https://build.suse.de/request/show/64852)
Kristyna, great, thanks. Should I do the rest or will you do?
(In reply to Petr Gajdos from comment #9) > Kristyna, great, thanks. > > Should I do the rest or will you do? I will do it next week.
Submitted to openSUSE 13.1 & 13.2: https://build.opensuse.org/request/show/333177 Closing.
This is an autogenerated message for OBS integration: This bug (938723) was mentioned in https://build.opensuse.org/request/show/333177 13.2+13.1 / apache2
Sorry, there still is a running update. Rather reopening and reassigning to security-team.
openSUSE-SU-2015:1684-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 931723,938723,938728 CVE References: CVE-2015-3183,CVE-2015-3185,CVE-2015-4000 Sources used: openSUSE 13.2 (src): apache2-2.4.10-28.1 openSUSE 13.1 (src): apache2-2.4.6-6.50.1
SUSE-SU-2015:1851-1: An update that solves four vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 444878,869790,911159,915666,927845,930228,931002,931723,938723,938728,939516,949766,949771 CVE References: CVE-2014-8111,CVE-2015-3183,CVE-2015-3185,CVE-2015-4000 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server 12 (src): apache2-2.4.10-14.10.1, apache2-mod_auth_kerb-5.4-2.4.1, apache2-mod_jk-1.2.40-2.6.1, apache2-mod_security2-2.8.0-3.4.1 SUSE Enterprise Storage 1.0 (src): apache2-mod_fastcgi-2.4.7-3.4.1
done