Luxembourg, September 20th, 2017
A vulnerability has been found in the Apache's web server httpd component which allows remote attackers to read secret data from process memory if the Limit directive is set in a user's .htaccess file, or if httpd.conf contains certain misconfigurations, also known as Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27.
A CVE is available:
and additional details of Optionsbleed are available here:
Administrators of NoMachine Cloud Server, which uses Apache 2.4.27, can continue to provide web-based access to users provided that they do not put .htaccess with a bad Limit directive into the html root of the server installation.
NoMachine developers will release the fix in the next scheduled release. Should customers have any questions, they are invited to contact the support team.
The NoMachine Security Team