does CVE-2017-9798 affect us?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

does CVE-2017-9798 affect us?

Mathias Homann-2
Hi,

just came across https://arstechnica.com/information-technology/2017/09/
apache-bug-leaks-contents-of-server-memory-for-all-to-see-patch-now/, does
CVE-2017-9798 affect openSUSE/SLES/SLED?


Cheers
Mathias

--
Mathias Homann
Senior Systems Engineer, IT Consultant. IT Trainer
[hidden email]
http://www.tuxonline.tech
gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102

signature.asc (650 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: does CVE-2017-9798 affect us?

Marcus Meissner
On Thu, Sep 21, 2017 at 09:15:25AM +0200, Mathias Homann wrote:
> Hi,
>
> just came across https://arstechnica.com/information-technology/2017/09/
> apache-bug-leaks-contents-of-server-memory-for-all-to-see-patch-now/, does
> CVE-2017-9798 affect openSUSE/SLES/SLED?

It affects the Apache 2.4 versions we ship, so SLE12 and Leap 42*

This needs a misconfiured .htaccess though to be exploitable.

We will release updates.

(Apache 2.2 affectedness is not clear.)

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: does CVE-2017-9798 affect us?

Thomas Biege
On 21.09.17 09:21, Marcus Meissner wrote:
> (Apache 2.2 affectedness is not clear.)

... just want to add: if it is affected on maintained products, we will
release an update too.

Viele Grüße / Best regards
Thomas
--
Thomas Biege <[hidden email]>, Team Lead MaintenanceSecurity, CSSLP
https://www.suse.com/security

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: does CVE-2017-9798 affect us?

Marcus Meissner
Hi,

On Thu, Sep 21, 2017 at 05:25:26PM +0200, Thomas Biege wrote:
> On 21.09.17 09:21, Marcus Meissner wrote:
> > (Apache 2.2 affectedness is not clear.)
>
> ... just want to add: if it is affected on maintained products, we will
> release an update too.

Further research has shown that Apache 2.2 is also affected. Updates
for SUSE Linux Enterprise Server 11 are in QA.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]