CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2017/09/18 13:27:17
Modified files:
www/apache-httpd: Tag: OPENBSD_6_1 Makefile
Added files:
www/apache-httpd/patches: Tag: OPENBSD_6_1 patch-server_core_c
Log message:
patch apache httpd CVE-2017-9798, backported from upstream's branches/2.4.x
This is a use after free error that causes a corrupted Allow header to
be constructed in response to HTTP OPTIONS requests. It can leak pieces
of arbitrary memory from the server process that may contain secrets.
The memory pieces change after multiple requests, so for a vulnerable
host an arbitrary number of memory chunks can be leaked.
The bug appears if a webmaster tries to use the "Limit" directive with
an invalid HTTP method.
