Bug#876109: marked as done (apache2: CVE-2017-9798: HTTP OPTIONS method can leak Apache's server memory)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 23 Sep 2017 11:32:33 +0000
with message-id <E1dvifh-000E8N-H5@fasolo.debian.org>
and subject line Bug#876109: fixed in apache2 2.4.10-10+deb8u11
has caused the Debian Bug report #876109,
regarding apache2: CVE-2017-9798: HTTP OPTIONS method can leak Apache's server memory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
876109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876109
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apache2: CVE-2017-9798: HTTP OPTIONS method can leak Apache's server memory
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Mon, 18 Sep 2017 16:20:15 +0200
• Message-id: <[🔎] 150574441592.13058.18348477694694627137.reportbug@eldamar.local>

Source: apache2
Version: 2.4.10-10
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for apache2.

CVE-2017-9798[0]:
HTTP OPTIONS method can leak Apache's server memory

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9798
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
[1] https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 876109-close@bugs.debian.org
• Subject: Bug#876109: fixed in apache2 2.4.10-10+deb8u11
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 23 Sep 2017 11:32:33 +0000
• Message-id: <E1dvifh-000E8N-H5@fasolo.debian.org>

Source: apache2
Source-Version: 2.4.10-10+deb8u11

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876109@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 19 Sep 2017 21:08:12 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2.2-bin apache2.2-common libapache2-mod-proxy-html libapache2-mod-macro apache2-utils apache2-suexec apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-dbg
Architecture: all source
Version: 2.4.10-10+deb8u11
Distribution: jessie-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 876109
Description: 
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-mpm-event - transitional event MPM package for apache2
 apache2-mpm-itk - transitional itk MPM package for apache2
 apache2-mpm-prefork - transitional prefork MPM package for apache2
 apache2-mpm-worker - transitional worker MPM package for apache2
 apache2-suexec - transitional package for apache2-suexec-pristine
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 apache2.2-bin - Transitional package for apache2-bin
 apache2.2-common - Transitional package for apache2
 libapache2-mod-macro - Transitional package for apache2-bin
 libapache2-mod-proxy-html - Transitional package for apache2-bin
Changes:
 apache2 (2.4.10-10+deb8u11) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
     (Closes: #876109)
Checksums-Sha1: 
 608aeea1a1d6378053e6cfc7542deaf641db133a 3436 apache2_2.4.10-10+deb8u11.dsc
 0e43217d3abf45fc3aff93e01f8a4ca1f1b31c67 559340 apache2_2.4.10-10+deb8u11.debian.tar.xz
 3202741a602f1f5c62e8f2071aaf9f90fab21ba4 162836 apache2-data_2.4.10-10+deb8u11_all.deb
 883b37d03fbe9b5e2516f76753de6a0e6c3ed2da 2703768 apache2-doc_2.4.10-10+deb8u11_all.deb
Checksums-Sha256: 
 0fd4c2213d354fe793456deba9f20c7e57fa3976a83eec85a766d781841bf4e8 3436 apache2_2.4.10-10+deb8u11.dsc
 32b6254c73e6a1c637d34c0ccb95832d219de1cdaa44276b226aaae53f28446f 559340 apache2_2.4.10-10+deb8u11.debian.tar.xz
 8181932677228a49cc946054a661da99fcd4f9f471397af825a1df4ccc71e950 162836 apache2-data_2.4.10-10+deb8u11_all.deb
 4c0cb26fdbb29dcfa87f43bd9abff135a14785b9390c3b7fb7c02b228e79e1e4 2703768 apache2-doc_2.4.10-10+deb8u11_all.deb
Files: 
 72adeb0f8c14fc13ce25f7bf4e32e7c3 3436 httpd optional apache2_2.4.10-10+deb8u11.dsc
 d2a879fd8bdc79917ade9ce22ddd60f5 559340 httpd optional apache2_2.4.10-10+deb8u11.debian.tar.xz
 3c82c9812642f476e3b29041687297d4 162836 httpd optional apache2-data_2.4.10-10+deb8u11_all.deb
 11fb46ac0eeba63bc99f1853b0d3b857 2703768 doc optional apache2-doc_2.4.10-10+deb8u11_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnBbPpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENUMQAJtLbO7mXt/APfTUzhupn6huT8mnLOz8
N4Ck5aKzcMSGw2ESLG8QF9c9826VZMgHKpi+enw0Ht0gWAPtd5Zf9kat2KDZtP2z
2O/X6UvQQYg21H77/9Jt3ctHjXyP0scantu2dfq4L4YWCjc871SE9E9YDtGcdQGB
FLY8NJbBz0BtjpRKVLn5K/kXkEL2BhK15yFTmonH1ObL1fIy7bp4jWkTmN4svnj0
Hn+ro9DoEZmSW2Eckeuv65ulo5JrbgEBiT/a4a/o+i2hSspyky2iDSkq7j3L9btb
L5bsgXVs3YxDXiiGDLjBxLYBCD7CcDbNB74NWsz2vJm3d6uLsKI2VlyojvowTayI
OSbfxSMeQMt15goiY+BE/dgabukkeVOsXNrq9Ts84RQr75bBkdDQOwMHFNFiGukt
Tj12Rp/+APFwnNBy3uUAslUnt7VRm8HOxW9ZJcgLXiYXFUrLoGYT1Shul73tTCpJ
qt9laEJr1/FhNTpo49fyS4C3jZ7E1amYHkujkrEE6vYRiNCLGuYmIjIsRC1RoVv/
v0ZuC/bigX+mBDREORuHRY6bYxB3nNytPdv8vf7T76yyyPeQelH0c6LO+cE9MB9a
z3nGyPsJbbSKvruW51F22D8dBjW77hs+qYFV49nj5gScn4L8NJRiKbEDlYDQ9WJa
Q40RFS1kZFzb
=8+/K
-----END PGP SIGNATURE-----

--- End Message ---