This update for apache2 fixes the following issues:
Allow disabling SNI on proxy connections using 'SetEnv proxy-disable-sni 1' in the configuration files. (bsc#1052830)
Allow ECDH again in mod_ssl, it had been incorrectly disabled with the 2.2.34 update. (bsc#1064561)
Following security issue has been fixed:
CVE-2017-9798: A use-after-free in the OPTIONS command could be used by attackers to disclose memory of the apache server process, when htaccess uses incorrect Limit statement. (bsc#1058058)
Additionally, references to the following security issues, fixed by the previous version-update of apache2
to Apache HTTPD 2.2.34 have been added:
CVE-2017-7668: The HTTP strict parsing introduced a bug in token list parsing, which allowed apfindtoken() to
search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may
have be able to cause a segmentation fault, or to force apfindtoken() to return an incorrect value. (bsc#1045061)
CVE-2017-3169: modssl may have de-referenced a NULL pointer when third-party modules call
aphookprocessconnection() during an HTTP request to an HTTPS port allowing for DoS. (bsc#1045062)
CVE-2017-3167: Use of the apgetbasicauthpw() by third-party modules outside of the authentication phase may have
lead to authentication requirements being bypassed. (bsc#1045065)
CVE-2017-7679: mod_mime could have read one byte past the end of a buffer when sending a malicious Content-Type
response header. (bsc#1045060)