VulnerableCode Package Details - pkg:alpm/archlinux/apache@2.4.27-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-5bej-9h7w-33c8 Aliases: CVE-2017-9798	When an unrecognized HTTP Method is given in an <Limit {method}> directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusual HTTP Methods in a global httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later. To permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive. Source code patch (2.4) is at; CVE-2017-9798-patch-2.4.patch Source code patch (2.2) is at; CVE-2017-9798-patch-2.2.patch Note 2.2 is end-of-life, no further release with this fix is planned. Users are encouraged to migrate to 2.4.28 or later for this and other fixes.	2.4.27-2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-5bej-9h7w-33c8
Aliases:
CVE-2017-9798

When an unrecognized HTTP Method is given in an <Limit {method}> directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusual HTTP Methods in a global httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later. To permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive. Source code patch (2.4) is at; CVE-2017-9798-patch-2.4.patch Source code patch (2.2) is at; CVE-2017-9798-patch-2.2.patch Note 2.2 is end-of-life, no further release with this fix is planned. Users are encouraged to migrate to 2.4.28 or later for this and other fixes.

2.4.27-2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jt89-ruvk-1kbj	The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault.	CVE-2017-9788
VCID-khfr-kgtb-rfam	When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.	CVE-2017-9789

Vulnerability

Summary

Aliases

VCID-jt89-ruvk-1kbj

The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault.

CVE-2017-9788

VCID-khfr-kgtb-rfam

When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

CVE-2017-9789

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T18:26:12.678736+00:00	Arch Linux Importer	Affected by	VCID-5bej-9h7w-33c8	https://security.archlinux.org/AVG-404	38.0.0
2026-04-01T18:24:46.861389+00:00	Arch Linux Importer	Fixing	VCID-jt89-ruvk-1kbj	https://security.archlinux.org/AVG-350	38.0.0
2026-04-01T18:24:46.836805+00:00	Arch Linux Importer	Fixing	VCID-khfr-kgtb-rfam	https://security.archlinux.org/AVG-350	38.0.0