As it seems Suse did not backport the SSLinsecureRenegotiation directive
into the SLES10-SP4 Apache for now
They did backport the option into the openssl package thoucht, but how
could i use it on sles-stock apache?
With the open access to the THC DOS tool it's getting very risky to
have a ssl server on SLES10:
http://www.thc.org/thc-ssl-dos/


Code:
--------------------
apache2-2.2.3-16.36.1 - The Apache Web Server Version 2.0

Mi 31 Aug 2011 14:00:00 CEST
draht@suse.de
- httpd-2.2.x-bnc713966-CVE-2011-3192.patch fixes byterange remote
DoS vulnerability known as CVE-2011-3192. [bnc#713966]
Di 28 Jun 2011 14:00:00 CEST
draht@suse.de
- httpd-2.2.x-bnc690734.patch: take LimitRequestFieldsize config
option into account when parsing headers from backend. Thereby
avoid that the receiving buffers are too small. bnc#690734.
Mi 19 Jan 2011 13:00:00 CET
draht@suse.de
- httpd-2.2.x-bnc661597-add-root-to-path.patch: add / when on a
directory to feed correctly linked listings. bnc#661597
Di 11 Jan 2011 13:00:00 CET
draht@suse.de
- a2enmod shalt not disable a module in query mode. bnc#663359
Mi 08 Dez 2010 13:00:00 CET
draht@suse.de
- httpd-2.2.x-bnc555098-new_option_SSLRenegBufferSize.dif fixes
"413 Request Entity Too Large occur" problem. From L3:28789 and
bnc#555098.
- httpd-2.2.x-bnc527440-prefork_graceful_restart_hang.patch
fixes graceful restart hangs, bnc#555098.
- unified into httpd-2.2.x-CVE-2007-6420-6421-6422.patch:
httpd-2.2.x-CVE-2007-6420.patch
httpd-2.2.x-CVE-2007-6421.patch
httpd-2.2.x-CVE-2007-6422.patch for --fuzz=0 conflicts.
all patches apply to httpd-2.2.3/modules/proxy/mod_proxy_balancer.c
- unified into httpd-2.2.3-CVE-2009-1195-0.patch:
httpd-2.2.3-CVE-2009-1195.patch
httpd-2.2.3-CVE-2009-1195-2.patch for --fuzz=0 conflicts.
Di 17 Aug 2010 14:00:00 CEST
draht@suse.de
- httpd-2.2.10-bnc627030-CVE-2010-1452.patch fixes CVE-2010-1452
from [bnc#627030]. This _only_ affects mod_dav. CVE-2010-1452
also refers to mod_cache, but SLES is not affected as the error
was introduced into a newer version of apache. For completeness:
CVE-2010-2068 (information disclosure by mod_proxy_http)
does not affect Linux.
Fr 09 Apr 2010 14:00:00 CEST
draht@suse.de
- httpd-2.2.10-bnc570127.patch [bnc#570127]: fix for mod_ssl buffer
flushing problems causing hangs between browser and server, as
both are waiting for each other.
- httpd-2.2.10-bnc586572-CVE-2010-0434.patch [bnc#586572]: fix for
CVE-2010-0434 subrequest header handling information disclosure
with multithreaded MPM; remote attackers may obtain information
that is related to an earlier request.
- httpd-2.2.x-bnc586572-CVE-2010-0408.patch fix for CVE-2010-0408
DoS caused by wrong status code in mod_proxy_ajp
Fr 16 Okt 2009 14:00:00 CEST
meissner@suse.de
- fixed CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the
mod_proxy_ftp module allows remote FTP servers to cause a denial
of service (NULL pointer dereference and child process crash) via a
malformed reply to an EPSV command.)
- fixed CVE-2009-3095 (access restriction bypass in mod_proxy_ftp module)
bnc#538322
Di 13 Okt 2009 14:00:00 CEST
meissner@suse.de
- The CVE-2009-1191 patch should have been labeled CVE-2009-1195,
renamed. (bnc#513080)
- The CVE-2009-1195 patch was incomplete and lead to failures
with SSI scripts. (bnc#512583, bnc#539571)
- Fixed mod_proxy reverse denial of service (CVE-2009-1890, bnc#519194)
Fr 24 Jul 2009 14:00:00 CEST
crrodriguez@suse.de
- VUL-0: apache mod_deflate DoS [bnc#521906]
- VUL-0: apache - another issue similar to CVE-2009-1195 [bnc#513080]
- VUL-0: apache2: does not properly handle Options=IncludesNOEXEC [bnc#512583]
Mi 27 Mai 2009 14:00:00 CEST
crrodriguez@suse.de
- mod_cache and mod_rewrite incompatible with each other [bnc#482633]
Mo 02 Mär 2009 13:00:00 CET
crrodriguez@suse.de
- fix CVE-2008-2364 [bnc#408832]
Fr 19 Sep 2008 14:00:00 CEST
skh@suse.de
- add httpd-2.2.x-CVE-2007-6420.patch [bnc#373903]:
mod_proxy_balancer: Prevent CSRF attacks against the
balancer-manager interface. [Joe Orton]
- add httpd-2.0.x-CVE-2008-2939.patch [bnc#415061]:
mod_proxy_ftp: Prevent XSS attacks when using wildcards in
the path of the FTP URL. Discovered by Marc Bevand of Rapid7.
[Ruediger Pluem]
- fix httpd-2.2.x-CVE-2007-3304.patch:
do not bump MODULE_MAGIC_NUMBER_MINOR to 5 as the security fix
only provides part of the api
Di 25 Mär 2008 13:00:00 CET
skh@suse.de
- bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c
(menu_header): Fix cross-site-scripting issue by escaping the URI,
and ensure that a charset parameter is sent in the content-type to
prevent autodetection by broken browsers.
- bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
request method in 413 error reporting. Determined to be not
generally exploitable, but a flaw in any case.
- bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
is numeric to prevent a possible XSS attack caused by redirecting
to other URLs. Reported by SecurityReason.
- bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape
the worker route and the worker redirect string in the HTML output
of the balancer manager. Reported by SecurityReason.
- bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if
invalid balancer name is passed as parameter. Reported by
SecurityReason.
- bnc #353262 / CVE-2008-0005: Add explicit charset to the output of
various modules to work around possible cross-site scripting flaws
affecting web browsers that do not derive the response character
set as required by RFC2616. One of these reported by
SecurityReason
- Add Requires: ed [bnc #363611]
--------------------





Code:
--------------------
openssl-0.9.8a-18.54.1 - Secure Sockets and Transport Layer Security



Mo 19 Sep 2011 14:00:00 CEST
gjhe@suse.com
- fix bug[bnc#716144]- VUL-0: openssl ECDH crash
CVE-2011-3210
Di 31 Mai 2011 14:00:00 CEST
gjhe@novell.com
- update cyclic dependency with package openssl-certs.
Mo 30 Mai 2011 14:00:00 CEST
gjhe@novell.com
- fix bug[bnc#693027].
Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Mo 11 Apr 2011 14:00:00 CEST
gjhe@novell.com
- fix bug [bnc#657663]
CVE-2010-4180
for CVE-2010-4252,no patch is added(for the J-PAKE
implementaion is not compiled in by default).
Di 15 Feb 2011 13:00:00 CET
lnussel@suse.de
- run c_rehash in %post to make sure cert links are there
Di 15 Feb 2011 13:00:00 CET
gjhe@novell.com
- fix bug[bnc#659128], add '-extensions v3_ca' option to both
demo scripts CA.sh and CA.pl
Do 10 Feb 2011 13:00:00 CET
kukuk@suse.de
- Require openssl-certs [bnc#670623]
Fr 10 Dez 2010 13:00:00 CET
gjhe@novell.com
- out of date CA list, bug[bnc#638744]
Mo 27 Sep 2010 14:00:00 CEST
gjhe@novell.com
- fix bug [bnc#608666]
So 26 Sep 2010 14:00:00 CEST
gjhe@novell.com
- fix bug [bnc#629905]
CVE-2010-2939
Do 25 Mär 2010 13:00:00 CET
meissner@suse.de
- Added tls/ssl secure renegotiation feature backport from 0.9.8m.
CVE-2009-3555 [bnc#584292]
- refreshed some patches for fuzz=0
Di 23 Mär 2010 13:00:00 CET
gjhe@novell.com
- fix security bug [bnc#597379]
CVE-2009-3245
Fr 15 Jan 2010 13:00:00 CET
gjhe@suse.de
- fix security bug [bnc#566238]
CVE-2009-4355
Do 12 Nov 2009 13:00:00 CET
gjhe@suse.de
- fix security bug [bnc#553641]
CVE-2009-3555
Di 21 Jul 2009 14:00:00 CEST
gjhe@suse.de
-add Entrust_net_Premium_2048_Secure_Server_CA.pem [bnc#522175]
Mi 10 Jun 2009 14:00:00 CEST
gjhe@suse.de
- fix security bug [bnc#509031]
CVE-2009-1386
CVE-2009-1387


--------------------


--
vhbsles
------------------------------------------------------------------------
vhbsles's Profile: http://forums.novell.com/member.php?userid=101902
View this thread: http://forums.novell.com/showthread.php?t=447649