Debian Security Advisory

DLA-1028-1 apache2 -- LTS security update

Date Reported:
17 Jul 2017
Affected Packages:
apache2
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2017-9788.
More information:

Robert Święcki discovered that the value placeholder in [Proxy-]Authorization Digest headers were not initialized or reset before or between successive key=value assignments in Apache 2's mod_auth_digest module

Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request leading to leakage of potentially confidential information and a segfault.

For Debian 7 Wheezy, this issue has been fixed in apache2 version 2.2.22-13+deb7u10.

We recommend that you upgrade your apache2 packages.