Summary: | <www-servers/apache-{2.2.34,2.4.27-r1}: Optionsbleed | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hanno, polynomial-c |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html | ||
Whiteboard: | A4 [glsa cve] | ||
Package list: |
www-servers/apache-2.2.34
www-servers/apache-2.4.27-r1
app-admin/apache-tools-2.4.27
app-admin/apache-tools-2.2.34
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 622240, 624868 |
Description
Thomas Deutschmann (RETIRED)
2017-09-18 09:00:33 UTC
Optionsbleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked. The bug appears if a webmaster tries to use the "Limit" directive with an invalid HTTP method. Example .htaccess: <Limit abcxyz> </Limit> Patch: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch There won't be an apache release, unfortunately the apache team was unable to come up with a coordinated disclosure / release date. I cannot reproduce it with apache 2.2, but this bug tends to be not reliably reproducible, so this is no assurance that there is no bug. Arches, please test and mark stable: - =www-servers/apache-2.2.34 - =www-servers/apache-tools-2.2.34 - =www-servers/apache-2.4.27-r1 amd64/x86 stable stable for sparc (thanks to Rolf Eike Beer) ia64 stable hppa stable ppc stable ppc64 stable arm stable Stable on alpha. @maintainers, please clean the vulnerable versions. GLSA Vote: Yes. This issue was resolved and addressed in GLSA 201710-32 at https://security.gentoo.org/glsa/201710-32 by GLSA coordinator Aaron Bauman (b-man). re-opened for cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=760bcf48e497d770435030c1b82246e56665fcdd commit 760bcf48e497d770435030c1b82246e56665fcdd Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2017-10-29 23:14:37 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2017-10-29 23:16:15 +0000 www-servers/apache: Security cleanup Bug: https://bugs.gentoo.org/631308 Package-Manager: Portage-2.3.13, Repoman-2.3.4 www-servers/apache/apache-2.4.27.ebuild | 238 -------------------------------- 1 file changed, 238 deletions(-)} Repository is clean, all done. |