Subject: [ASA-201709-15] apache: information disclosure Arch Linux Security Advisory ASA-201709-15 ========================================== Severity: High Date : 2017-09-18 CVE-ID : CVE-2017-9798 Package : apache Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-404 Summary ======= The package apache before version 2.4.27-2 is vulnerable to information disclosure. Resolution ========== Upgrade to 2.4.27-2. # pacman -Syu "apache>=2.4.27-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== An use after free vulnerability has been discovered in Apache HTTP 2.4.27 that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked. The bug appears if a webmaster tries to use the "Limit" directive with an invalid HTTP method. Impact ====== A remote attacker is able to leak memory and potentially obtain sensitive information from the server process. References ========== https://bz.apache.org/bugzilla/show_bug.cgi?id=61207 https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch http://www.openwall.com/lists/oss-security/2017/09/18/2 https://github.com/hannob/optionsbleed https://security.archlinux.org/CVE-2017-9798