Apache Httpd < 2.4.28 : Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed")


When an unrecognized HTTP Method is given in an <Limit {method}> directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusual HTTP Methods in a global httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later. To permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive. Source code patch (2.4) is at; CVE-2017-9798-patch-2.4.patch Source code patch (2.2) is at; CVE-2017-9798-patch-2.2.patch Note 2.2 is end-of-life, no further release with this fix is planned. Users are encouraged to migrate to 2.4.28 or later for this and other fixes.

Affected Software

CPE Name Name Version
apache httpd 2.4.27
apache httpd 2.4.26
apache httpd 2.4.25
apache httpd 2.4.23
apache httpd 2.4.20
apache httpd 2.4.18
apache httpd 2.4.17
apache httpd 2.4.16
apache httpd 2.4.12
apache httpd 2.4.10
apache httpd 2.4.9
apache httpd 2.4.7
apache httpd 2.4.6
apache httpd 2.4.4
apache httpd 2.4.3
apache httpd 2.4.2
apache httpd 2.4.1