http://svn.apache.org/r1800955
Regards Rüdiger Von: Rashmi Srinivasan [mailto:rashmisrinivasan2...@gmail.com] Gesendet: Montag, 17. Juli 2017 07:50 An: d...@httpd.apache.org Cc: users@httpd.apache.org Betreff: Re: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest Hi, Please can you point us to the patch for this CVE? regards, Rashmi On Thu, Jul 13, 2017 at 6:32 PM, William A Rowe Jr <wr...@rowe-clan.net<mailto:wr...@rowe-clan.net>> wrote: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest Severity: Important Vendor: The Apache Software Foundation Versions Affected: all versions through 2.2.33 and 2.4.26 Description: The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault Mitigation: All users of httpd should upgrade to 2.4.27 (or minimally 2.2.34, which will receive no further security releases.) Alternately, the administrator could configure httpd to reject requests with a header matching a complex regular expression identifing where = character does not occur in the first key=value pair, as in the following syntax; [Proxy-]Authorization: Digest key[,key=value] Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
