Apache Friends Support Forum

Hello.

We are currently running XAMPP (version 7.0.23) on Linux, and the version of Apache (2.4.27) is showing up as vulnerable in our PCI scan:

"On systems with the Limit directive set within a '.htaccess' file and set to an invalid HTTP method, a remote user can send a specially crafted HTTP
OPTIONS request for a path to trigger a use-after-free memory error and view potentially sensitive information from process memory on the target
system. This vulnerability is referred to as "Optionsbleed". This affects Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27."

We are instructed to upgrade Apache to version 2.4.28 to resolve this vulnerability. Was hoping you could provide a new bundle with the newest version of Apache installed.

Please advise. Thanks in advance.

Hi,

if you are aware about security scans than you should not use XAMPP.
XAMPP is a local test and development environment and as such it is not needed to react on each security vulnerability.
Is this security vulnerability a problem for a local test and development environment at all? A security assessment is worthless if an experienced it expert will not set these results into the right context. XAMPP is not optimized against security at all.

There will be a new XAMPP version, but when its done and which components it includes, i don't know. There is no public accessible release plan.

Install and couple all the single components yourself than you have the full control about the versions included and can upgrade a single component at once instead needed to switch the full stack.

best wishes,
Altrea