Security issue in Apache 2.4.27 ("optionsbleed")

Security issue in Apache 2.4.27 ("optionsbleed")

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 734 bytes --]

Hello,

a security issue has been found in Apache 2.4.27, which is
at the moment scheduled for the "next" branch in IPFire.

It is a memory leak (called "optionsbleed"), more details
are available here:
* https://nvd.nist.gov/vuln/detail/CVE-2017-9798
* https://heise.de/-3835313 (german only)

A patch has been published on Apache's SVN repository (but
I am not sure how to add it to the LFS build file :-) ):
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

Although IPFire is not vulnerable as far as I know, it
might be good to deploy this. Affects the 2.2.x series, too.

Just in case anyone is interested.

Best regards,
Peter Müller

Re: Security issue in Apache 2.4.27 ("optionsbleed")

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 886 bytes --]

On 19.09.2017 17:14, Peter Müller wrote:
> Hello,
> 
> a security issue has been found in Apache 2.4.27, which is
> at the moment scheduled for the "next" branch in IPFire.
> 
> It is a memory leak (called "optionsbleed"), more details
> are available here:
> * https://nvd.nist.gov/vuln/detail/CVE-2017-9798
> * https://heise.de/-3835313 (german only)
> 
> A patch has been published on Apache's SVN repository (but
> I am not sure how to add it to the LFS build file :-) ):
> https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
> 
> Although IPFire is not vulnerable as far as I know, it
> might be good to deploy this. Affects the 2.2.x series, too.
> 
> Just in case anyone is interested.
> 
> Best regards,
> Peter Müller
> 

I'll give it a try - Devel is running...

Best,
Matthias

Re: Security issue in Apache 2.4.27 ("optionsbleed")

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1145 bytes --]

Perfect working together.

Patch is merged.

Indeed, we shouldn't ship a release that has any known vulnerabilities.

Best,
-Michael

On Tue, 2017-09-19 at 19:23 +0200, Matthias Fischer wrote:
> On 19.09.2017 17:14, Peter Müller wrote:
> > Hello,
> > 
> > a security issue has been found in Apache 2.4.27, which is
> > at the moment scheduled for the "next" branch in IPFire.
> > 
> > It is a memory leak (called "optionsbleed"), more details
> > are available here:
> > * https://nvd.nist.gov/vuln/detail/CVE-2017-9798
> > * https://heise.de/-3835313 (german only)
> > 
> > A patch has been published on Apache's SVN repository (but
> > I am not sure how to add it to the LFS build file :-) ):
> > https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
> > 
> > Although IPFire is not vulnerable as far as I know, it
> > might be good to deploy this. Affects the 2.2.x series, too.
> > 
> > Just in case anyone is interested.
> > 
> > Best regards,
> > Peter Müller
> > 
> 
> I'll give it a try - Devel is running...
> 
> Best,
> Matthias

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]