Security update for libmicrohttpd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1676-1 Final 1 1 2017-06-26T08:50:19Z current 2017-06-26T08:50:19Z 2017-06-26T08:50:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libmicrohttpd This update for libmicrohttpd fixes the following issues: - CVE-2013-7038: The MHD_http_unescape function in libmicrohttpd might have allowed remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read. (bsc#854443) - CVE-2013-7039: Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header. (bsc#854443) - Fixed various bugs found during a 2017 audit, which are more hardening measures and not security issues. (bsc#1041216) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-06/msg00089.html E-Mail link for openSUSE-SU-2017:1676-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 libmicrohttpd-0.9.30-5.3.1 libmicrohttpd-devel-0.9.30-5.3.1 libmicrohttpd10-0.9.30-5.3.1 libmicrospdy-devel-0.9.30-5.3.1 libmicrospdy0-0.9.30-5.3.1 microspdy2http-0.9.30-5.3.1 libmicrohttpd-0.9.30-5.3.1 as a component of openSUSE Leap 42.2 libmicrohttpd-devel-0.9.30-5.3.1 as a component of openSUSE Leap 42.2 libmicrohttpd10-0.9.30-5.3.1 as a component of openSUSE Leap 42.2 libmicrospdy-devel-0.9.30-5.3.1 as a component of openSUSE Leap 42.2 libmicrospdy0-0.9.30-5.3.1 as a component of openSUSE Leap 42.2 microspdy2http-0.9.30-5.3.1 as a component of openSUSE Leap 42.2 The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read. CVE-2013-7038 openSUSE Leap 42.2:libmicrohttpd-0.9.30-5.3.1 openSUSE Leap 42.2:libmicrohttpd-devel-0.9.30-5.3.1 openSUSE Leap 42.2:libmicrohttpd10-0.9.30-5.3.1 openSUSE Leap 42.2:libmicrospdy-devel-0.9.30-5.3.1 openSUSE Leap 42.2:libmicrospdy0-0.9.30-5.3.1 openSUSE Leap 42.2:microspdy2http-0.9.30-5.3.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-06/msg00089.html https://www.suse.com/security/cve/CVE-2013-7038.html CVE-2013-7038 https://bugzilla.suse.com/854443 SUSE Bug 854443 Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header. CVE-2013-7039 openSUSE Leap 42.2:libmicrohttpd-0.9.30-5.3.1 openSUSE Leap 42.2:libmicrohttpd-devel-0.9.30-5.3.1 openSUSE Leap 42.2:libmicrohttpd10-0.9.30-5.3.1 openSUSE Leap 42.2:libmicrospdy-devel-0.9.30-5.3.1 openSUSE Leap 42.2:libmicrospdy0-0.9.30-5.3.1 openSUSE Leap 42.2:microspdy2http-0.9.30-5.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-06/msg00089.html https://www.suse.com/security/cve/CVE-2013-7039.html CVE-2013-7039 https://bugzilla.suse.com/854443 SUSE Bug 854443