Apache optionsbleed (CVE-2017-9798)

Today we have released updated Docker containers with the patches from Debian/Canonical for the Apache optionsbleed vulnerability following the Ubuntu release of those security patches a few hours ago. Updated containers are available for the 1.8.2, 1.8.1 and 1.8.0 release tags. For details of what optionsbleed is, please see the references section at the bottom of the article.

We believe that assuming you have not modified the .htaccess file that the project ships, there is no exposure to this vulnerability, however we are providing updated containers for a "belt and braces" approach.

If you are running a Xibo CMS with the official project Docker containers, then you may wish to consider updating the containers to apply the patch.

To update, please use the following instructions:

• Locate your existing Xibo CMS Docker installation. It will be where you have your shared folder and your config.env file.
• Before attempting the update, please be sure that your media and database files are being correctly written to the shared directory. This is particularly important if you are running on a Windows computer. To do so, upload for example an image in to the CMS, and check that the same image appears in the shared/cms/library directory. Another good check is to make sure that shared/backup/db/latest.tar.gz was created within the last 24 hours. If either of those checks fail, please do not proceed with the update as this will lead to data loss. Seek support to recover the situation.
• Open a shell/command prompt and change in to the location of your installation:

Windows:
c:\> cd\xibo

Linux:
cd /opt/xibo

• Run the following docker-compose commands, assuming you don't use remote mysql or custom ports.

docker-compose pull
docker-compose up -d

The CMS containers will restart with the patched version of Apache.

• If you use remote-mysql or custom-ports variants of the docker-compose file, then don't forget to add in the -f option for that:

docker-compose -f cms_custom-ports.yml pull
docker-compose -f cms_custom-ports.yml up -d

or

docker-compose -f cms_remote-mysql.yml pull
docker-compose -f cms_remote-mysql.yml up -d

There will be a short period where the CMS is unavailable ranging from a few seconds to a few minutes. Please be patient.

If you are running Apache in front of your Docker containers as a reverse proxy, you should also ensure that is updated to the latest version from your provider. On most current Linux systems, that will simply mean applying the latest updates from your distribution.

References:

• https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
• https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9798.html