Comment 1 Hanno Böck 2017-09-18 09:24:01 UTC

Optionsbleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.

The bug appears if a webmaster tries to use the "Limit" directive with an invalid HTTP method.

Example .htaccess:

<Limit abcxyz>
</Limit>

Patch:
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

There won't be an apache release, unfortunately the apache team was unable to come up with a coordinated disclosure / release date.

I cannot reproduce it with apache 2.2, but this bug tends to be not reliably reproducible, so this is no assurance that there is no bug.

Comment 2 Thomas Deutschmann (RETIRED) 2017-09-18 13:06:31 UTC

Arches,

please test and mark stable:

 - =www-servers/apache-2.2.34
 - =www-servers/apache-tools-2.2.34
 - =www-servers/apache-2.4.27-r1

Comment 3 Thomas Deutschmann (RETIRED) 2017-09-18 13:07:07 UTC

amd64/x86 stable

Comment 4 Sergei Trofimovich (RETIRED) 2017-09-19 07:38:38 UTC

stable for sparc (thanks to Rolf Eike Beer)

Comment 5 Sergei Trofimovich (RETIRED) 2017-09-19 19:38:22 UTC

ia64 stable

Comment 6 Sergei Trofimovich (RETIRED) 2017-09-20 20:37:37 UTC

hppa stable

Comment 7 Sergei Trofimovich (RETIRED) 2017-09-23 12:36:54 UTC

ppc stable

Comment 8 Sergei Trofimovich (RETIRED) 2017-09-23 12:43:04 UTC

ppc64 stable

Comment 9 Markus Meier 2017-10-16 18:12:37 UTC

arm stable

Comment 10 Tobias Klausmann (RETIRED) 2017-10-22 21:46:37 UTC

Stable on alpha.

Comment 11 Aaron Bauman (RETIRED) 2017-10-23 00:22:39 UTC

@maintainers, please clean the vulnerable versions.

Comment 12 Aaron Bauman (RETIRED) 2017-10-25 00:55:07 UTC

GLSA Vote: Yes.

Comment 13 GLSAMaker/CVETool Bot 2017-10-29 23:05:26 UTC

This issue was resolved and addressed in
 GLSA 201710-32 at https://security.gentoo.org/glsa/201710-32
by GLSA coordinator Aaron Bauman (b-man).

Comment 14 Aaron Bauman (RETIRED) 2017-10-29 23:06:01 UTC

re-opened for cleanup.

Comment 15 Larry the Git Cow 2017-10-29 23:16:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=760bcf48e497d770435030c1b82246e56665fcdd

commit 760bcf48e497d770435030c1b82246e56665fcdd
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-10-29 23:14:37 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-10-29 23:16:15 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/631308
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 www-servers/apache/apache-2.4.27.ebuild | 238 --------------------------------
 1 file changed, 238 deletions(-)}

Comment 16 Thomas Deutschmann (RETIRED) 2017-10-29 23:17:58 UTC

Repository is clean, all done.