From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Security issue in Apache 2.4.27 ("optionsbleed")
Date: Tue, 19 Sep 2017 17:14:09 +0200
Message-ID: <20170919171409.4efbd4e2.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4946082739138486160=="
List-Id: <development.lists.ipfire.org>

--===============4946082739138486160==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

a security issue has been found in Apache 2.4.27, which is
at the moment scheduled for the "next" branch in IPFire.

It is a memory leak (called "optionsbleed"), more details
are available here:
* https://nvd.nist.gov/vuln/detail/CVE-2017-9798
* https://heise.de/-3835313 (german only)

A patch has been published on Apache's SVN repository (but
I am not sure how to add it to the LFS build file :-) ):
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=3D1=
805223&r2=3D1807754&pathrev=3D1807754&view=3Dpatch

Although IPFire is not vulnerable as far as I know, it
might be good to deploy this. Affects the 2.2.x series, too.

Just in case anyone is interested.

Best regards,
Peter M=C3=BCller

--===============4946082739138486160==--