From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Security issue in Apache 2.4.27 ("optionsbleed") Date: Wed, 20 Sep 2017 22:12:31 +0100 Message-ID: <1505941951.4381.17.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8763894021118934517==" List-Id: --===============8763894021118934517== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Perfect working together. Patch is merged. Indeed, we shouldn't ship a release that has any known vulnerabilities. Best, -Michael On Tue, 2017-09-19 at 19:23 +0200, Matthias Fischer wrote: > On 19.09.2017 17:14, Peter M=C3=BCller wrote: > > Hello, > >=20 > > a security issue has been found in Apache 2.4.27, which is > > at the moment scheduled for the "next" branch in IPFire. > >=20 > > It is a memory leak (called "optionsbleed"), more details > > are available here: > > * https://nvd.nist.gov/vuln/detail/CVE-2017-9798 > > * https://heise.de/-3835313 (german only) > >=20 > > A patch has been published on Apache's SVN repository (but > > I am not sure how to add it to the LFS build file :-) ): > > https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1= =3D1805223&r2=3D1807754&pathrev=3D1807754&view=3Dpatch > >=20 > > Although IPFire is not vulnerable as far as I know, it > > might be good to deploy this. Affects the 2.2.x series, too. > >=20 > > Just in case anyone is interested. > >=20 > > Best regards, > > Peter M=C3=BCller > >=20 >=20 > I'll give it a try - Devel is running... >=20 > Best, > Matthias --===============8763894021118934517== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxuQzJiOEFDZ2tRZ0hudy8yK1EKQ1FlK2J3Ly9TODBGclh0NDgv dVA3LzM1WGRpb1JLVHRtTmZHVi9YK3BkTUJDT0h5bFp6N0NaRzhFbzI3Wk55OQp1UW1RUGFEUGRw N1hNN2RncC9xZnBtTmpuVWxINmpOUEtSUFZSM3A2RWdFb1JXNUREUW56ZFF2ay8vM3o1N1QyCmlu TDV0ZWYzMG1sMHRIS296RCtvUFpQRWcyWk5ibTNhK0g3M3RobzhwV1pOb0tIYTlpWHhRbmRzdVJH dHZKQWcKdUVXejE3YUM4SUp6a1VtMFlyK1JEaExRb01KWVIwOEVmaDZiSXFsQ2FDbURFbFBJZHZD ZkNVZitnc0ZrMzd4MgpHekYxRVNyS2xYME5pWHQ1WGhSdUxybnc0UzZVRC9kN0xQV0N6TE8rdUlF M2prZ0NWL2t4QS9rVXg3eFdwQVo5CkdoR1h3ZUVGVnNPMnZ3SS9UbUFZSFRLNVhvMUhJWmtsRTJi eGVpTUxZQXliVi93aVQ2NkI3WVlFdUh0eE5qenAKeWRsdkpFdGVUVFQ3b3FjaFVIbkRpc0hnTFU5 VlVFM0h4TDd0MmpHWFA2QlNRdjNoZmlaTUNXVVZyYUNwYWxJdgptazd3YTRVSVBFWVF3azFtak8v UC9xZG4zOS80bFhUUERMdnRocXZldmhUSXdhUUhodnNsQW45TmIyYkJOeVBPCkhUT2NqWTRkT0Y4 ZXA0SnQ2UTZWWkZDVVJiRnlSRWNIMU1HNHgvbktxMHZHMDhGZW8yTGtEOW04c2hDSENHWHUKcTFk RFZ1a1Q0d1RTT0lXTE53YUhrOXJicFJ3TGFCMG51SVZoVXFUbnk2aFRFT2pGNmJtM05JazRFUU9V N2p5ZwpwRjBQRGduV0lIQlFRRlZCNy90MUhlQ2Nvd0VQaldXYmk1ODZSTWpWbDlFR2Q3bXc2WjA9 Cj11WjdECi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============8763894021118934517==--