httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@apache.org>
Subject Re: svn commit: r1809192 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Date Thu, 21 Sep 2017 18:47:14 GMT
What more would we want to say here? Mention that the Allow: header may respond
with corrupted output? It seems other side effects can be present, which is why
I kept this simple.


On Thu, Sep 21, 2017 at 1:33 PM,  <wrowe@apache.org> wrote:
> Author: wrowe
> Date: Thu Sep 21 18:33:47 2017
> New Revision: 1809192
>
> URL: http://svn.apache.org/viewvc?rev=1809192&view=rev
> Log:
> Record CVE-2017-9798
>
> Modified:
>     httpd/site/trunk/content/security/vulnerabilities-httpd.xml
>
> Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
> URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1809192&r1=1809191&r2=1809192&view=diff
> ==============================================================================
> --- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
> +++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Thu Sep 21 18:33:47 2017
> @@ -1,4 +1,99 @@
> -<security updated="20170726">
> +<security updated="20170921">
> +
> +<issue fixed="2.4.28-dev" reported="20170712" public="20170918" released="">
> +<cve name="CVE-2017-9798"/>
> +<severity level="4">low</severity>
> +<title>Use-after-free when using &lt;Limit &gt; with an unrecognized method
in .htaccess ("OptionsBleed")</title>
> +<description>
> +<p>When an unrecognized HTTP Method is given in an &lt;Limit {method}&gt;
> +directive in an .htaccess file, and that .htaccess file is processed by the
> +corresponding request, the global methods table is corrupted in the current
> +worker process, resulting in erratic behaviour.</p>
> +<p>This behavior may be avoided by listing all unusual HTTP Methods in a global
> +httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later.</p>
> +<p>To permit other .htaccess directives while denying the &lt;Limit &gt;
directive, see the AllowOverrideList directive.</p>
> +<p>Source code patch is at;</p>
> +<ul>
> +<li><a href="http://www.apache.org/dist/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch"
> +>http://www.apache.org/dist/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch</a></li>
> +</ul>
> +</description>
> +<acknowledgements>
> +We would like to thank Hanno Böck for reporting this issue.
> +</acknowledgements>
> +<affects prod="httpd" version="2.4.27"/>
> +<affects prod="httpd" version="2.4.26"/>
> +<affects prod="httpd" version="2.4.25"/>
> +<affects prod="httpd" version="2.4.23"/>
> +<affects prod="httpd" version="2.4.20"/>
> +<affects prod="httpd" version="2.4.18"/>
> +<affects prod="httpd" version="2.4.17"/>
> +<affects prod="httpd" version="2.4.16"/>
> +<affects prod="httpd" version="2.4.12"/>
> +<affects prod="httpd" version="2.4.10"/>
> +<affects prod="httpd" version="2.4.9"/>
> +<affects prod="httpd" version="2.4.7"/>
> +<affects prod="httpd" version="2.4.6"/>
> +<affects prod="httpd" version="2.4.4"/>
> +<affects prod="httpd" version="2.4.3"/>
> +<affects prod="httpd" version="2.4.2"/>
> +<affects prod="httpd" version="2.4.1"/>
> +</issue>
> +
> +<issue fixed="2.2.35-dev" reported="20170712" public="20170918" released="">
> +<cve name="CVE-2017-9798"/>
> +<severity level="4">low</severity>
> +<title>Use-after-free when using &lt;Limit &gt; with an unrecognized method
in .htaccess ("OptionsBleed")</title>
> +<description>
> +<p>When an unrecognized HTTP Method is given in an &lt;Limit {method}&gt;
> +directive in an .htaccess file, and that .htaccess file is processed by the
> +corresponding request, the global methods table is corrupted in the current
> +worker process, resulting in erratic behaviour.</p>
> +<p>This behavior may be avoided by listing all unusual HTTP Methods in a global
> +httpd.conf RegisterHttpMethod directive in httpd release 2.2.32 and later.</p>
> +<p>To permit other .htaccess directives while denying the &lt;Limit &gt;
directive, see the AllowOverrideList directive.</p>
> +<p>Source code patch is at;</p>
> +<ul>
> +<li><a href="http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.4.patch"
> +>http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch</a></li>
> +</ul>
> +<p>Note 2.2 is end-of-life, no further release with this fix is planned. Users
> +are encouraged to migrate to 2.4.28 or later for this and other fixes.</p>
> +</description>
> +<acknowledgements>
> +We would like to thank Hanno Böck for reporting this issue.
> +</acknowledgements>
> +<affects prod="httpd" version="2.2.34"/>
> +<affects prod="httpd" version="2.2.32"/>
> +<affects prod="httpd" version="2.2.31"/>
> +<affects prod="httpd" version="2.2.29"/>
> +<affects prod="httpd" version="2.2.27"/>
> +<affects prod="httpd" version="2.2.26"/>
> +<affects prod="httpd" version="2.2.25"/>
> +<affects prod="httpd" version="2.2.24"/>
> +<affects prod="httpd" version="2.2.23"/>
> +<affects prod="httpd" version="2.2.22"/>
> +<affects prod="httpd" version="2.2.21"/>
> +<affects prod="httpd" version="2.2.20"/>
> +<affects prod="httpd" version="2.2.19"/>
> +<affects prod="httpd" version="2.2.18"/>
> +<affects prod="httpd" version="2.2.17"/>
> +<affects prod="httpd" version="2.2.16"/>
> +<affects prod="httpd" version="2.2.15"/>
> +<affects prod="httpd" version="2.2.14"/>
> +<affects prod="httpd" version="2.2.13"/>
> +<affects prod="httpd" version="2.2.12"/>
> +<affects prod="httpd" version="2.2.11"/>
> +<affects prod="httpd" version="2.2.10"/>
> +<affects prod="httpd" version="2.2.9"/>
> +<affects prod="httpd" version="2.2.8"/>
> +<affects prod="httpd" version="2.2.6"/>
> +<affects prod="httpd" version="2.2.5"/>
> +<affects prod="httpd" version="2.2.4"/>
> +<affects prod="httpd" version="2.2.3"/>
> +<affects prod="httpd" version="2.2.2"/>
> +<affects prod="httpd" version="2.2.0"/>
> +</issue>
>
>  <issue fixed="2.4.27" reported="20170630" public="20170711" released="20170711">
>  <cve name="CVE-2017-9789"/>
>
>

Mime
View raw message