SLES-SP4 Apache vunrablility to SSL-RENEGOTIATION

As it seems Suse did not backport the SSLinsecureRenegotiation directive
into the SLES10-SP4 Apache for now
They did backport the option into the openssl package thoucht, but how
could i use it on sles-stock apache?
With the open access to the THC DOS tool it’s getting very risky to
have a ssl server on SLES10:


apache2-2.2.3-16.36.1 - The Apache Web Server Version 2.0

Mi 31 Aug 2011 14:00:00 CEST

  • httpd-2.2.x-bnc713966-CVE-2011-3192.patch fixes byterange remote
    DoS vulnerability known as CVE-2011-3192. [bnc#713966]
    Di 28 Jun 2011 14:00:00 CEST
  • httpd-2.2.x-bnc690734.patch: take LimitRequestFieldsize config
    option into account when parsing headers from backend. Thereby
    avoid that the receiving buffers are too small. bnc#690734.
    Mi 19 Jan 2011 13:00:00 CET
  • httpd-2.2.x-bnc661597-add-root-to-path.patch: add / when on a
    directory to feed correctly linked listings. bnc#661597
    Di 11 Jan 2011 13:00:00 CET
  • a2enmod shalt not disable a module in query mode. bnc#663359
    Mi 08 Dez 2010 13:00:00 CET
  • httpd-2.2.x-bnc555098-new_option_SSLRenegBufferSize.dif fixes
    “413 Request Entity Too Large occur” problem. From L3:28789 and
  • httpd-2.2.x-bnc527440-prefork_graceful_restart_hang.patch
    fixes graceful restart hangs, bnc#555098.
  • unified into httpd-2.2.x-CVE-2007-6420-6421-6422.patch:
    httpd-2.2.x-CVE-2007-6422.patch for --fuzz=0 conflicts.
    all patches apply to httpd-2.2.3/modules/proxy/mod_proxy_balancer.c
  • unified into httpd-2.2.3-CVE-2009-1195-0.patch:
    httpd-2.2.3-CVE-2009-1195-2.patch for --fuzz=0 conflicts.
    Di 17 Aug 2010 14:00:00 CEST
  • httpd-2.2.10-bnc627030-CVE-2010-1452.patch fixes CVE-2010-1452
    from [bnc#627030]. This only affects mod_dav. CVE-2010-1452
    also refers to mod_cache, but SLES is not affected as the error
    was introduced into a newer version of apache. For completeness:
    CVE-2010-2068 (information disclosure by mod_proxy_http)
    does not affect Linux.
    Fr 09 Apr 2010 14:00:00 CEST
  • httpd-2.2.10-bnc570127.patch [bnc#570127]: fix for mod_ssl buffer
    flushing problems causing hangs between browser and server, as
    both are waiting for each other.
  • httpd-2.2.10-bnc586572-CVE-2010-0434.patch [bnc#586572]: fix for
    CVE-2010-0434 subrequest header handling information disclosure
    with multithreaded MPM; remote attackers may obtain information
    that is related to an earlier request.
  • httpd-2.2.x-bnc586572-CVE-2010-0408.patch fix for CVE-2010-0408
    DoS caused by wrong status code in mod_proxy_ajp
    Fr 16 Okt 2009 14:00:00 CEST
  • fixed CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the
    mod_proxy_ftp module allows remote FTP servers to cause a denial
    of service (NULL pointer dereference and child process crash) via a
    malformed reply to an EPSV command.)
  • fixed CVE-2009-3095 (access restriction bypass in mod_proxy_ftp module)
    Di 13 Okt 2009 14:00:00 CEST
  • The CVE-2009-1191 patch should have been labeled CVE-2009-1195,
    renamed. (bnc#513080)
  • The CVE-2009-1195 patch was incomplete and lead to failures
    with SSI scripts. (bnc#512583, bnc#539571)
  • Fixed mod_proxy reverse denial of service (CVE-2009-1890, bnc#519194)
    Fr 24 Jul 2009 14:00:00 CEST
  • VUL-0: apache mod_deflate DoS [bnc#521906]
  • VUL-0: apache - another issue similar to CVE-2009-1195 [bnc#513080]
  • VUL-0: apache2: does not properly handle Options=IncludesNOEXEC [bnc#512583]
    Mi 27 Mai 2009 14:00:00 CEST
  • mod_cache and mod_rewrite incompatible with each other [bnc#482633]
    Mo 02 Mär 2009 13:00:00 CET
  • fix CVE-2008-2364 [bnc#408832]
    Fr 19 Sep 2008 14:00:00 CEST
  • add httpd-2.2.x-CVE-2007-6420.patch [bnc#373903]:
    mod_proxy_balancer: Prevent CSRF attacks against the
    balancer-manager interface. [Joe Orton]
  • add httpd-2.0.x-CVE-2008-2939.patch [bnc#415061]:
    mod_proxy_ftp: Prevent XSS attacks when using wildcards in
    the path of the FTP URL. Discovered by Marc Bevand of Rapid7.
    [Ruediger Pluem]
  • fix httpd-2.2.x-CVE-2007-3304.patch:
    do not bump MODULE_MAGIC_NUMBER_MINOR to 5 as the security fix
    only provides part of the api
    Di 25 Mär 2008 13:00:00 CET
  • bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c
    (menu_header): Fix cross-site-scripting issue by escaping the URI,
    and ensure that a charset parameter is sent in the content-type to
    prevent autodetection by broken browsers.
  • bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
    request method in 413 error reporting. Determined to be not
    generally exploitable, but a flaw in any case.
  • bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
    is numeric to prevent a possible XSS attack caused by redirecting
    to other URLs. Reported by SecurityReason.
  • bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape
    the worker route and the worker redirect string in the HTML output
    of the balancer manager. Reported by SecurityReason.
  • bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if
    invalid balancer name is passed as parameter. Reported by
  • bnc #353262 / CVE-2008-0005: Add explicit charset to the output of
    various modules to work around possible cross-site scripting flaws
    affecting web browsers that do not derive the response character
    set as required by RFC2616. One of these reported by
  • Add Requires: ed [bnc #363611]


openssl-0.9.8a-18.54.1 - Secure Sockets and Transport Layer Security

Mo 19 Sep 2011 14:00:00 CEST

  • fix bug[bnc#716144]- VUL-0: openssl ECDH crash
    Di 31 Mai 2011 14:00:00 CEST
  • update cyclic dependency with package openssl-certs.
    Mo 30 Mai 2011 14:00:00 CEST
  • fix bug[bnc#693027].
    Add protection against ECDSA timing attacks as mentioned in the paper
    by Billy Bob Brumley and Nicola Tuveri, see:
    [Billy Bob Brumley and Nicola Tuveri]
    Mo 11 Apr 2011 14:00:00 CEST
  • fix bug [bnc#657663]
    for CVE-2010-4252,no patch is added(for the J-PAKE
    implementaion is not compiled in by default).
    Di 15 Feb 2011 13:00:00 CET
  • run c_rehash in %post to make sure cert links are there
    Di 15 Feb 2011 13:00:00 CET
  • fix bug[bnc#659128], add ‘-extensions v3_ca’ option to both
    demo scripts and
    Do 10 Feb 2011 13:00:00 CET
  • Require openssl-certs [bnc#670623]
    Fr 10 Dez 2010 13:00:00 CET
  • out of date CA list, bug[bnc#638744]
    Mo 27 Sep 2010 14:00:00 CEST
  • fix bug [bnc#608666]
    So 26 Sep 2010 14:00:00 CEST
  • fix bug [bnc#629905]
    Do 25 Mär 2010 13:00:00 CET
  • Added tls/ssl secure renegotiation feature backport from 0.9.8m.
    CVE-2009-3555 [bnc#584292]
  • refreshed some patches for fuzz=0
    Di 23 Mär 2010 13:00:00 CET
  • fix security bug [bnc#597379]
    Fr 15 Jan 2010 13:00:00 CET
  • fix security bug [bnc#566238]
    Do 12 Nov 2009 13:00:00 CET
  • fix security bug [bnc#553641]
    Di 21 Jul 2009 14:00:00 CEST
    -add Entrust_net_Premium_2048_Secure_Server_CA.pem [bnc#522175]
    Mi 10 Jun 2009 14:00:00 CEST
  • fix security bug [bnc#509031]


vhbsles’s Profile:
View this thread:

Thanks for considering the security of your system. Unfortunately this
topic is a bit tricky. We did not backport the SSLInsecureRenegotiation
option, but we disabled insecure renegotiations completely (without an
option to turn it back on). This is however unrelated to the DoS issue
you’re talking about. that one is not about insecure renegotiations, but
about being able to trigger excessive amount of secure renegotiations
continuously on the server, so even if the option would be available, it
would not help.

We’re working with high priority on an update that will address the DoS
issue. The links to that will appear here: and here: and can be installed
like normal via your regular maintenance update methods or ‘NOVELL:
Patch Finder’


dirkmueller’s Profile:
View this thread: