CVE-2017-9798

Priority
Description
Apache httpd allows remote attackers to read secret data from process
memory if the Limit directive can be set in a user's .htaccess file, or if
httpd.conf has certain misconfigurations, aka Optionsbleed. This affects
the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The
attacker sends an unauthenticated OPTIONS HTTP request when attempting to
read secret data. This is a use-after-free issue and thus secret data is
not always sent, and the specific data depends on many factors including
configuration. Exploitation with .htaccess can be blocked with a patch to
the ap_limit_section function in server/core.c.
Assigned-to
mdeslaur
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (2.2.22-1ubuntu1.14)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.4.7-1ubuntu4.18)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.4.18-2ubuntu3.5)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.4.27-2ubuntu3)
Patches:
Upstream:https://svn.apache.org/viewvc?view=revision&revision=1807754
More Information

Updated: 2019-01-14 22:31:06 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)