Apache2 2.22--10.12.1.i586 and CVE-2013-5704


At our systems we have installed apache2-2.22–10.12.1, which is vulnerable for CVE-2013-5704 (amongst others).

As solution, according to nessus:

Upgrade to Apache version 2.2.29 or later.

This version isn’t available in the standard updates repositories. Will this version become available or will there be no more updates for apache2-2.22 on opensuse 12.3?

Thx for answers

Version numbers are not raised for the official updates, so there never will be an update to 2.2.29 in the official update repo.
The 2.2.22 does have a lot of patches added to fix issues though so it isn’t really 2.2.22, have a look at the pacakge changelog:

rpm -q --changelog apache2|less

I don’t see any particular mention of CVE-2013-5704 though, so you might want to file a bug report to get the fix added to the 12.3 package if necessary.

But 12.3 is nearly end-of-life. According to https://en.opensuse.org/Lifetime it will be supported until Jan. 4th 2015, after that you’ll not get any updates at all any more.
So it might be time to consider upgrading to a newer version, 13.1 has been selected as the next Evergreen version for prolonged support btw.