From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Security issue in Apache 2.4.27 ("optionsbleed") Date: Tue, 19 Sep 2017 19:23:04 +0200 Message-ID: In-Reply-To: <20170919171409.4efbd4e2.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8345172367803537787==" List-Id: --===============8345172367803537787== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 19.09.2017 17:14, Peter M=C3=BCller wrote: > Hello, >=20 > a security issue has been found in Apache 2.4.27, which is > at the moment scheduled for the "next" branch in IPFire. >=20 > It is a memory leak (called "optionsbleed"), more details > are available here: > * https://nvd.nist.gov/vuln/detail/CVE-2017-9798 > * https://heise.de/-3835313 (german only) >=20 > A patch has been published on Apache's SVN repository (but > I am not sure how to add it to the LFS build file :-) ): > https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1= =3D1805223&r2=3D1807754&pathrev=3D1807754&view=3Dpatch >=20 > Although IPFire is not vulnerable as far as I know, it > might be good to deploy this. Affects the 2.2.x series, too. >=20 > Just in case anyone is interested. >=20 > Best regards, > Peter M=C3=BCller >=20 I'll give it a try - Devel is running... Best, Matthias --===============8345172367803537787==--