Synopsis:          Moderate: httpd security update
Advisory ID:       SLSA-2017:2972-1
Issue Date:        2017-10-19
CVE Numbers:       CVE-2017-9798
                   CVE-2017-12171
--

Security Fix(es):

* A use-after-free flaw was found in the way httpd handled invalid and
previously unregistered HTTP methods specified in the Limit directive used
in an .htaccess file. A remote attacker could possibly use this flaw to
disclose portions of the server memory, or cause httpd child process to
crash. (CVE-2017-9798)

* A regression was found in the Scientific Linux 6.9 version of httpd,
causing comments in the "Allow" and "Deny" configuration lines to be
parsed incorrectly. A web administrator could unintentionally allow any
client to access a restricted HTTP resource. (CVE-2017-12171)
--

SL6
  x86_64
    httpd-2.2.15-60.el6_9.6.x86_64.rpm
    httpd-debuginfo-2.2.15-60.el6_9.6.x86_64.rpm
    httpd-tools-2.2.15-60.el6_9.6.x86_64.rpm
    httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm
    httpd-devel-2.2.15-60.el6_9.6.i686.rpm
    httpd-devel-2.2.15-60.el6_9.6.x86_64.rpm
    mod_ssl-2.2.15-60.el6_9.6.x86_64.rpm
  i386
    httpd-2.2.15-60.el6_9.6.i686.rpm
    httpd-debuginfo-2.2.15-60.el6_9.6.i686.rpm
    httpd-tools-2.2.15-60.el6_9.6.i686.rpm
    httpd-devel-2.2.15-60.el6_9.6.i686.rpm
    mod_ssl-2.2.15-60.el6_9.6.i686.rpm
  noarch
    httpd-manual-2.2.15-60.el6_9.6.noarch.rpm

- Scientific Linux Development Team