Debian Security Advisory
DLA-1028-1 apache2 -- LTS security update
- Date Reported:
- 17 Jul 2017
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2017-9788.
- More information:
Robert Święcki discovered that the value placeholder in [Proxy-]Authorization Digest headers were not initialized or reset before or between successive key=value assignments in Apache 2's mod_auth_digest module
Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request leading to leakage of potentially confidential information and a segfault.
For Debian 7
Wheezy, this issue has been fixed in apache2 version 2.2.22-13+deb7u10.
We recommend that you upgrade your apache2 packages.