httpd-2.2.15-60.6.0.1.AXS4

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and
extensible web server.

Security Fix(es):

* A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)

* A regression was found in the Asianux Server 6.9 version of httpd, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource. (CVE-2017-12171)

Asianux would like to thank Hanno Böck for reporting CVE-2017-9798 and
KAWAHARA Masashi for reporting CVE-2017-12171.

CVE-2017-12171
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2017-9798
Apache httpd allows remote attackers to read secret data from process
memory if the Limit directive can be set in a user's .htaccess file, or
if httpd.conf has certain misconfigurations, aka Optionsbleed. This
affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27.
The attacker sends an unauthenticated OPTIONS HTTP request when
attempting to read secret data. This is a use-after-free issue and thus
secret data is not always sent, and the specific data depends on many
factors including configuration. Exploitation with .htaccess can be
blocked with a patch to the ap_limit_section function in server/core.c.