Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-1028-1 apache2

Debian Security Advisory

DLA-1028-1 apache2 -- LTS security update

Date Reported:

17 Jul 2017

Affected Packages:

apache2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2017-9788.

More information:

Robert Święcki discovered that the value placeholder in [Proxy-]Authorization Digest headers were not initialized or reset before or between successive key=value assignments in Apache 2's mod_auth_digest module

Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request leading to leakage of potentially confidential information and a segfault.

For Debian 7 Wheezy, this issue has been fixed in apache2 version 2.2.22-13+deb7u10.

We recommend that you upgrade your apache2 packages.