[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#876109: marked as done (apache2: CVE-2017-9798: HTTP OPTIONS method can leak Apache's server memory)

Your message dated Sat, 23 Sep 2017 10:02:09 +0000
with message-id <E1dvhGD-0001uQ-8D@fasolo.debian.org>
and subject line Bug#876109: fixed in apache2 2.4.25-3+deb9u3
has caused the Debian Bug report #876109,
regarding apache2: CVE-2017-9798: HTTP OPTIONS method can leak Apache's server memory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
876109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876109
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: apache2
Version: 2.4.10-10
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for apache2.

CVE-2017-9798[0]:
HTTP OPTIONS method can leak Apache's server memory

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9798
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
[1] https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: apache2
Source-Version: 2.4.25-3+deb9u3

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876109@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 19 Sep 2017 20:58:57 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg
Architecture: source
Version: 2.4.25-3+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
Closes: 876109
Changes:
 apache2 (2.4.25-3+deb9u3) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
     (Closes: #876109)
Checksums-Sha1:
 32c05335652d59d7f178b7fc4553cbc977e25b18 3141 apache2_2.4.25-3+deb9u3.dsc
 bd6d138c31c109297da2346c6e7b93b9283993d2 6398218 apache2_2.4.25.orig.tar.bz2
 fd3f9f214aea072abf784035c75a16dc1721b16e 698644 apache2_2.4.25-3+deb9u3.debian.tar.xz
 283ced6ae9890d5a3aff3134227797f50130551c 6521 apache2_2.4.25-3+deb9u3_source.buildinfo
Checksums-Sha256:
 8d8882881188bdbc7b91018ee8227ff64dc0225761a8b29fd65fb7a7bd0e411d 3141 apache2_2.4.25-3+deb9u3.dsc
 f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2 6398218 apache2_2.4.25.orig.tar.bz2
 5d70639e0bce0c17dc67c867898e5b4f2ca765baf4f2779b9ced6e6d07077a34 698644 apache2_2.4.25-3+deb9u3.debian.tar.xz
 7cac0dea06098736d5e2b28d03b837dc9ead14032fef7ec5343d877f3a418c90 6521 apache2_2.4.25-3+deb9u3_source.buildinfo
Files:
 3481582dd442d200d076857f26e08d68 3141 httpd optional apache2_2.4.25-3+deb9u3.dsc
 2826f49619112ad5813c0be5afcc7ddb 6398218 httpd optional apache2_2.4.25.orig.tar.bz2
 22691ac7783269d9148553bffe6e5c41 698644 httpd optional apache2_2.4.25-3+deb9u3.debian.tar.xz
 3cc9f858a5823d805dac2613dca20157 6521 httpd optional apache2_2.4.25-3+deb9u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnBabJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EP2IQAKFk0AG58i4bunUbVYbWvuUGaV3lKZTC
FtOZm8wi+s+5G3TdZ7BtKpbAysNnsCQFopcE+hWxZiSAGMEbkHc4eTHZK4u1iddE
iB2FSZkip9Uq37KSK8e/wG9NnoYRO4p3W5GRNyZy/TUN/mJLTkCPC8r2Pp31km/L
ifj8eg7W1a7PyXFesDUs5yVGG9qTbUxmc7HVGplah/KckNE5i+TxVH+MZeJlekOl
yB7cjSPfAaquxGferl2mCkJlXa82vXMxyF7LP5wFltRvXsFYb6VO1ByPEi6TnR+N
uY6BOPxci4cBPYvRPAe8ll6R1VBcoxKPUucBv25S7gd67Dyd/wyhCud5QpPGgAwd
JDw473SE1S3+9nEMuOH0L/EUSYt1B93UNBYh75q1r5FGYRvOF98e6g4jnzW8YxA4
HDCDFmrS5waFVSMafVlmToKgKp3rrpUFlE9l7wVMIMHgcRTeI8VOTjN7J6RsZH/o
ptHZ6FA8+SE8E/0ET4TopqMRRRLHChZoUSnfWvtJKmObQv1EwSMfXDtcFONSkIbq
XRGuo6uLTZV4Usr94d95n8ZXDmy0VWI0v9zwSoCJJ51EwJHuYUui+urCddj0GYjd
0EXSp7n9d7sx3ub9qAtordQr0pSR7t5OAs5edNPCu5KPw5J3BeQZq7EimUdrBG7C
q+pzswy2vWhE
=5koK
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: