Users are encouraged to migrate to 2.4.28 or later for this and other fixes.Īcknowledgements: We would like to thank Hanno Böck for reporting this issue.
Source code patch (2.4) is at CVE-2017-9798-patch-2.4.patch Source code patch (2.2) is at CVE-2017-9798-patch-2.2.patch Note 2.2 is end-of-life, no further release with this fix is planned. htaccess directives while denying the directive, see the AllowOverrideList directive. This behavior may be avoided by listing all unusual HTTP Methods in a global nf RegisterHttpMethod directive in httpd release 2.4.25 and later. htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. When an unrecognized HTTP Method is given in an directive in an. Fixed in Apache HTTP Server 2.2.35-never low: Use-after-free when using with an unrecognized method in.
Users are advised to upgrade to the currently supported released version to address known issues.
Subsequent issues may have affected 2.2 but will not be investigated or listed here. This page only lists security issues that occurred before the End-of-Life. Please send comments or corrections for these vulnerabilities to the Security Team.Īpache httpd 2.2 is End-of-Life since December 2017 and should not be used. Please note that if a vulnerability is shown below as being fixed in a "-dev" release then this means that a fix has been applied to the development source tree and will be part of an upcoming full release. We also list the versions the flaw is known to affect, and where a flaw has not been verified list the version with a question mark. Each vulnerability is given a security impact rating by the Apache security team - please note that this rating may well vary from platform to platform. This page lists all security vulnerabilities fixed in released versions of Apache HTTP Server 2.2.