What more would we want to say here? Mention that the Allow: header may respond with corrupted output? It seems other side effects can be present, which is why I kept this simple.
On Thu, Sep 21, 2017 at 1:33 PM, <wr...@apache.org> wrote: > Author: wrowe > Date: Thu Sep 21 18:33:47 2017 > New Revision: 1809192 > > URL: http://svn.apache.org/viewvc?rev=1809192&view=rev > Log: > Record CVE-2017-9798 > > Modified: > httpd/site/trunk/content/security/vulnerabilities-httpd.xml > > Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml > URL: > http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1809192&r1=1809191&r2=1809192&view=diff > ============================================================================== > --- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original) > +++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Thu Sep 21 > 18:33:47 2017 > @@ -1,4 +1,99 @@ > -<security updated="20170726"> > +<security updated="20170921"> > + > +<issue fixed="2.4.28-dev" reported="20170712" public="20170918" released=""> > +<cve name="CVE-2017-9798"/> > +<severity level="4">low</severity> > +<title>Use-after-free when using <Limit > with an unrecognized method > in .htaccess ("OptionsBleed")</title> > +<description> > +<p>When an unrecognized HTTP Method is given in an <Limit {method}> > +directive in an .htaccess file, and that .htaccess file is processed by the > +corresponding request, the global methods table is corrupted in the current > +worker process, resulting in erratic behaviour.</p> > +<p>This behavior may be avoided by listing all unusual HTTP Methods in a > global > +httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and > later.</p> > +<p>To permit other .htaccess directives while denying the <Limit > > directive, see the AllowOverrideList directive.</p> > +<p>Source code patch is at;</p> > +<ul> > +<li><a > href="http://www.apache.org/dist/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch" > +>http://www.apache.org/dist/httpd/patches/apply_to_2.4.27/CVE-2017-9798-patch-2.4.patch</a></li> > +</ul> > +</description> > +<acknowledgements> > +We would like to thank Hanno Böck for reporting this issue. > +</acknowledgements> > +<affects prod="httpd" version="2.4.27"/> > +<affects prod="httpd" version="2.4.26"/> > +<affects prod="httpd" version="2.4.25"/> > +<affects prod="httpd" version="2.4.23"/> > +<affects prod="httpd" version="2.4.20"/> > +<affects prod="httpd" version="2.4.18"/> > +<affects prod="httpd" version="2.4.17"/> > +<affects prod="httpd" version="2.4.16"/> > +<affects prod="httpd" version="2.4.12"/> > +<affects prod="httpd" version="2.4.10"/> > +<affects prod="httpd" version="2.4.9"/> > +<affects prod="httpd" version="2.4.7"/> > +<affects prod="httpd" version="2.4.6"/> > +<affects prod="httpd" version="2.4.4"/> > +<affects prod="httpd" version="2.4.3"/> > +<affects prod="httpd" version="2.4.2"/> > +<affects prod="httpd" version="2.4.1"/> > +</issue> > + > +<issue fixed="2.2.35-dev" reported="20170712" public="20170918" released=""> > +<cve name="CVE-2017-9798"/> > +<severity level="4">low</severity> > +<title>Use-after-free when using <Limit > with an unrecognized method > in .htaccess ("OptionsBleed")</title> > +<description> > +<p>When an unrecognized HTTP Method is given in an <Limit {method}> > +directive in an .htaccess file, and that .htaccess file is processed by the > +corresponding request, the global methods table is corrupted in the current > +worker process, resulting in erratic behaviour.</p> > +<p>This behavior may be avoided by listing all unusual HTTP Methods in a > global > +httpd.conf RegisterHttpMethod directive in httpd release 2.2.32 and > later.</p> > +<p>To permit other .htaccess directives while denying the <Limit > > directive, see the AllowOverrideList directive.</p> > +<p>Source code patch is at;</p> > +<ul> > +<li><a > href="http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.4.patch" > +>http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch</a></li> > +</ul> > +<p>Note 2.2 is end-of-life, no further release with this fix is planned. > Users > +are encouraged to migrate to 2.4.28 or later for this and other fixes.</p> > +</description> > +<acknowledgements> > +We would like to thank Hanno Böck for reporting this issue. > +</acknowledgements> > +<affects prod="httpd" version="2.2.34"/> > +<affects prod="httpd" version="2.2.32"/> > +<affects prod="httpd" version="2.2.31"/> > +<affects prod="httpd" version="2.2.29"/> > +<affects prod="httpd" version="2.2.27"/> > +<affects prod="httpd" version="2.2.26"/> > +<affects prod="httpd" version="2.2.25"/> > +<affects prod="httpd" version="2.2.24"/> > +<affects prod="httpd" version="2.2.23"/> > +<affects prod="httpd" version="2.2.22"/> > +<affects prod="httpd" version="2.2.21"/> > +<affects prod="httpd" version="2.2.20"/> > +<affects prod="httpd" version="2.2.19"/> > +<affects prod="httpd" version="2.2.18"/> > +<affects prod="httpd" version="2.2.17"/> > +<affects prod="httpd" version="2.2.16"/> > +<affects prod="httpd" version="2.2.15"/> > +<affects prod="httpd" version="2.2.14"/> > +<affects prod="httpd" version="2.2.13"/> > +<affects prod="httpd" version="2.2.12"/> > +<affects prod="httpd" version="2.2.11"/> > +<affects prod="httpd" version="2.2.10"/> > +<affects prod="httpd" version="2.2.9"/> > +<affects prod="httpd" version="2.2.8"/> > +<affects prod="httpd" version="2.2.6"/> > +<affects prod="httpd" version="2.2.5"/> > +<affects prod="httpd" version="2.2.4"/> > +<affects prod="httpd" version="2.2.3"/> > +<affects prod="httpd" version="2.2.2"/> > +<affects prod="httpd" version="2.2.0"/> > +</issue> > > <issue fixed="2.4.27" reported="20170630" public="20170711" > released="20170711"> > <cve name="CVE-2017-9789"/> > >