Twenty Year Anniversary
Showing 1 - 16 of 16 RSS Feed

CVE-2017-9798

Status Candidate

Overview

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Related Files

Red Hat Security Advisory 2017-3477-01
Posted Dec 17, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3477-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2017-12613, CVE-2017-3167, CVE-2017-3169, CVE-2017-7679, CVE-2017-9798
MD5 | c060ac568692c5a625232ab20b67a36e
Red Hat Security Advisory 2017-3476-01
Posted Dec 17, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3476-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2017-12613, CVE-2017-3167, CVE-2017-3169, CVE-2017-7679, CVE-2017-9798
MD5 | 2998dd842722e8dccbccecc95efc81bf
Red Hat Security Advisory 2017-3475-01
Posted Dec 17, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3475-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as a replacement of Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2017-12613, CVE-2017-3167, CVE-2017-3169, CVE-2017-7679, CVE-2017-9798
MD5 | 4ef23340919b51fe7aeb084c433c2e50
Apple Security Advisory 2017-12-6-1
Posted Dec 8, 2017
Authored by Apple | Site apple.com

Apple Security Advisory 2017-12-6-1 - macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan are now available and address issues in apache, curl, and more.

tags | advisory
systems | apple
advisories | CVE-2017-1000254, CVE-2017-13826, CVE-2017-13833, CVE-2017-13844, CVE-2017-13847, CVE-2017-13848, CVE-2017-13855, CVE-2017-13858, CVE-2017-13860, CVE-2017-13862, CVE-2017-13865, CVE-2017-13867, CVE-2017-13868, CVE-2017-13869, CVE-2017-13871, CVE-2017-13872, CVE-2017-13875, CVE-2017-13876, CVE-2017-13878, CVE-2017-13883, CVE-2017-3735, CVE-2017-9798
MD5 | af68f4baa82f3969d3d701de1140c5ee
Red Hat Security Advisory 2017-3240-01
Posted Nov 17, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3240-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release provides an update to httpd and OpenSSL. The updates are documented in the Release Notes document linked to in the References. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.

tags | advisory, java, web, protocol
systems | linux, redhat
advisories | CVE-2016-2183, CVE-2017-9788, CVE-2017-9798
MD5 | 3b29f86af233ff52d38e4b5b486e8852
Red Hat Security Advisory 2017-3239-01
Posted Nov 17, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3239-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release provides an update to httpd and OpenSSL. The updates are documented in the Release Notes document linked to in the References. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.

tags | advisory, java, web, protocol
systems | linux, redhat
advisories | CVE-2016-2183, CVE-2017-9788, CVE-2017-9798
MD5 | d3308a53ac9894680ebba1c87d267299
Red Hat Security Advisory 2017-3195-01
Posted Nov 14, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3195-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.

tags | advisory, remote, web
systems | linux, redhat
advisories | CVE-2017-3167, CVE-2017-3169, CVE-2017-7679, CVE-2017-9788, CVE-2017-9798
MD5 | 157337568df9416d2ea4f3d3ef8840b7
Red Hat Security Advisory 2017-3194-01
Posted Nov 14, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3194-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.

tags | advisory, remote, web
systems | linux, redhat
advisories | CVE-2017-3167, CVE-2017-3169, CVE-2017-7668, CVE-2017-7679, CVE-2017-9788, CVE-2017-9798
MD5 | 72bfa46236aff8767f6d5fb2bcb685bc
Red Hat Security Advisory 2017-3193-01
Posted Nov 13, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3193-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.

tags | advisory, remote, web
systems | linux, redhat
advisories | CVE-2017-3167, CVE-2017-3169, CVE-2017-7668, CVE-2017-7679, CVE-2017-9788, CVE-2017-9798
MD5 | 9c32244644eb4897ec1ed63b28ad3243
Red Hat Security Advisory 2017-3113-01
Posted Nov 2, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3113-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. This release provides an update to httpd, OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2. The updates are documented in the Release Notes document linked to in the References.

tags | advisory, java, web, protocol
systems | linux, redhat
advisories | CVE-2016-2183, CVE-2017-12615, CVE-2017-12617, CVE-2017-9788, CVE-2017-9798
MD5 | 46b21654d29e59ef7bb3a4df28200a02
Red Hat Security Advisory 2017-3114-01
Posted Nov 2, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3114-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. This release provides an update to httpd, OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2. The updates are documented in the Release Notes document linked to in the References.

tags | advisory, java, web, protocol
systems | linux, redhat
advisories | CVE-2016-2183, CVE-2017-12615, CVE-2017-12617, CVE-2017-9788, CVE-2017-9798
MD5 | e79e19cccf6975c04bc6a5a7ee05526e
Red Hat Security Advisory 2017-3018-01
Posted Oct 24, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3018-01 - The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module. The following packages have been upgraded to a later upstream version: httpd24-httpd. Security Fix: A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash.

tags | advisory, remote, web
systems | linux, redhat
advisories | CVE-2017-9798
MD5 | 50d909e594f282c96c036ba5f8bf4137
Red Hat Security Advisory 2017-2972-01
Posted Oct 19, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2972-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash.

tags | advisory, remote, web
systems | linux, redhat
advisories | CVE-2017-12171, CVE-2017-9798
MD5 | e64652074e2e5759339d4e7268697da3
Red Hat Security Advisory 2017-2882-01
Posted Oct 12, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2882-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash.

tags | advisory, remote, web
systems | linux, redhat
advisories | CVE-2017-9798
MD5 | ad9389de508874fed2fa6236f05eaf2a
Ubuntu Security Notice USN-3425-1
Posted Sep 20, 2017
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3425-1 - Hanno Boeck discovered that the Apache HTTP Server incorrectly handled Limit directives in .htaccess files. In certain configurations, a remote attacker could possibly use this issue to read arbitrary server memory, including sensitive information. This issue is known as Optionsbleed.

tags | advisory, remote, web, arbitrary
systems | linux, ubuntu
advisories | CVE-2017-9798
MD5 | bfa83093442c8cb0223e5a49b009a8b1
Slackware Security Advisory - httpd Updates
Posted Sep 19, 2017
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.

tags | advisory
systems | linux, slackware
advisories | CVE-2017-9798
MD5 | 886e6431276c1f7f5f360f4268f47575
Page 1 of 1
Back1Next

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close