[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1028-1] apache2 security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : apache2
Version        : 2.2.22-13+deb7u10
CVE ID         : CVE-2017-9788
Debian Bug     : #868467

Robert Święcki discovered that the value placeholder in [Proxy-]Authorization
Digest headers were not initialized or reset before or between successive
key=value assignments in Apache 2's mod_auth_digest module

Providing an initial key with no '=' assignment could reflect the stale value
of uninitialized pool memory used by the prior request leading to leakage of
potentially confidential information and a segfault.

For Debian 7 "Wheezy", this issue has been fixed in apache2 version
2.2.22-13+deb7u10.

We recommend that you upgrade your apache2 packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAllsbn0ACgkQHpU+J9Qx
Hlgj4A/8Dugh3HGRoCDhin6P1OwryR7uMlc662kIpLdmDh2R2UMpcN49Lcz8HElI
fSI32flbBGdhI5pj8vHRioXkJi4KrTHKxTo2n4vMXtJ6qYBogI+txMr78Cq1Gh0J
yhA+06d+Cc/QbwYMc+owj1OHxQZzCT1eaBtLCao2Ay71TA65wrC/WICdhStrOhOr
L5BCgmdltZ4aERw72zCOFe/FrMiEh53Nhw7ZHXw51ul/jnvZL70LzUs0OBnC9cyU
EdNnhILL9OUma1JlEtpjnh2HoJ+KxCm1FcNZppWZHhGSVd8Au3vfGQz7lNsUV+Dr
JNC49skYvugyYiPu/mmI+W8ouuWiReLyYwzW/dHDxYNTNCH3deLIDXoT5AlAllkX
hxeywvsixjniPTFaCezuoaSdIU6/UI4PVulnSnq2UMRZucyNRU5vkXCqrFT5U6hH
9DHd7DKgvZy+f/wcM00YzoLlfWFdIcdYrGHQXHIJOljUyO/RyQPsU57UwIbfXHzd
H+Bzvs09aV5OqaC7Ko6sV9Z+FYap1N/Y3jQ8fzEUKaq7N67wqt7iWLKk+vpl26Hk
5jrW9rozDCyW+qkM4ji7zq/8b0SzI/qbyH2Eei576Q0BIGbACDHHnfnu/OBiwW3n
TAOlXzRzF+ubJg/229kLZu2fjI0VcNADyZMuv4VtjqCGNRKm0GY=
=ge+I
-----END PGP SIGNATURE-----
Reply to: