You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by William A Rowe Jr <wr...@rowe-clan.net> on 2017/07/13 13:02:52 UTC
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
all versions through 2.2.33 and 2.4.26
Description:
The value placeholder in [Proxy-]Authorization headers
of type 'Digest' was not initialized or reset
before or between successive key=value assignments.
by mod_auth_digest
Providing an initial key with no '=' assignment
could reflect the stale value of uninitialized pool
memory used by the prior request, leading to leakage
of potentially confidential information, and a segfault
Mitigation:
All users of httpd should upgrade to 2.4.27 (or minimally
2.2.34, which will receive no further security releases.)
Alternately, the administrator could configure httpd to
reject requests with a header matching a complex regular
expression identifing where = character does not occur
in the first key=value pair, as in the following syntax;
[Proxy-]Authorization: Digest key[,key=value]
Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.
References:
https://httpd.apache.org/security_report.html
[users@httpd] AW: CVE-2017-9788: Uninitialized memory reflection in
mod_auth_digest
Posted by Plüm,
Rüdiger,
Vodafone Group <ru...@vodafone.com>.
http://svn.apache.org/r1800955
Regards
Rüdiger
Von: Rashmi Srinivasan [mailto:rashmisrinivasan2007@gmail.com]
Gesendet: Montag, 17. Juli 2017 07:50
An: dev@httpd.apache.org
Cc: users@httpd.apache.org
Betreff: Re: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
Hi,
Please can you point us to the patch for this CVE?
regards,
Rashmi
On Thu, Jul 13, 2017 at 6:32 PM, William A Rowe Jr <wr...@rowe-clan.net>> wrote:
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
all versions through 2.2.33 and 2.4.26
Description:
The value placeholder in [Proxy-]Authorization headers
of type 'Digest' was not initialized or reset
before or between successive key=value assignments.
by mod_auth_digest
Providing an initial key with no '=' assignment
could reflect the stale value of uninitialized pool
memory used by the prior request, leading to leakage
of potentially confidential information, and a segfault
Mitigation:
All users of httpd should upgrade to 2.4.27 (or minimally
2.2.34, which will receive no further security releases.)
Alternately, the administrator could configure httpd to
reject requests with a header matching a complex regular
expression identifing where = character does not occur
in the first key=value pair, as in the following syntax;
[Proxy-]Authorization: Digest key[,key=value]
Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.
References:
https://httpd.apache.org/security_report.html
AW: CVE-2017-9788: Uninitialized memory reflection in
mod_auth_digest
Posted by Plüm,
Rüdiger,
Vodafone Group <ru...@vodafone.com>.
http://svn.apache.org/r1800955
Regards
Rüdiger
Von: Rashmi Srinivasan [mailto:rashmisrinivasan2007@gmail.com]
Gesendet: Montag, 17. Juli 2017 07:50
An: dev@httpd.apache.org
Cc: users@httpd.apache.org
Betreff: Re: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
Hi,
Please can you point us to the patch for this CVE?
regards,
Rashmi
On Thu, Jul 13, 2017 at 6:32 PM, William A Rowe Jr <wr...@rowe-clan.net>> wrote:
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
all versions through 2.2.33 and 2.4.26
Description:
The value placeholder in [Proxy-]Authorization headers
of type 'Digest' was not initialized or reset
before or between successive key=value assignments.
by mod_auth_digest
Providing an initial key with no '=' assignment
could reflect the stale value of uninitialized pool
memory used by the prior request, leading to leakage
of potentially confidential information, and a segfault
Mitigation:
All users of httpd should upgrade to 2.4.27 (or minimally
2.2.34, which will receive no further security releases.)
Alternately, the administrator could configure httpd to
reject requests with a header matching a complex regular
expression identifing where = character does not occur
in the first key=value pair, as in the following syntax;
[Proxy-]Authorization: Digest key[,key=value]
Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.
References:
https://httpd.apache.org/security_report.html
[users@httpd] Re: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
Posted by Rashmi Srinivasan <ra...@gmail.com>.
Hi,
Please can you point us to the patch for this CVE?
regards,
Rashmi
On Thu, Jul 13, 2017 at 6:32 PM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
> CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> all versions through 2.2.33 and 2.4.26
>
> Description:
> The value placeholder in [Proxy-]Authorization headers
> of type 'Digest' was not initialized or reset
> before or between successive key=value assignments.
> by mod_auth_digest
> Providing an initial key with no '=' assignment
> could reflect the stale value of uninitialized pool
> memory used by the prior request, leading to leakage
> of potentially confidential information, and a segfault
>
> Mitigation:
> All users of httpd should upgrade to 2.4.27 (or minimally
> 2.2.34, which will receive no further security releases.)
> Alternately, the administrator could configure httpd to
> reject requests with a header matching a complex regular
> expression identifing where = character does not occur
> in the first key=value pair, as in the following syntax;
> [Proxy-]Authorization: Digest key[,key=value]
>
> Credit:
> The Apache HTTP Server security team would like to thank Robert Święcki
> for reporting this issue.
>
> References:
> https://httpd.apache.org/security_report.html
>
Re: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
Posted by Rashmi Srinivasan <ra...@gmail.com>.
Hi,
Please can you point us to the patch for this CVE?
regards,
Rashmi
On Thu, Jul 13, 2017 at 6:32 PM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
> CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> all versions through 2.2.33 and 2.4.26
>
> Description:
> The value placeholder in [Proxy-]Authorization headers
> of type 'Digest' was not initialized or reset
> before or between successive key=value assignments.
> by mod_auth_digest
> Providing an initial key with no '=' assignment
> could reflect the stale value of uninitialized pool
> memory used by the prior request, leading to leakage
> of potentially confidential information, and a segfault
>
> Mitigation:
> All users of httpd should upgrade to 2.4.27 (or minimally
> 2.2.34, which will receive no further security releases.)
> Alternately, the administrator could configure httpd to
> reject requests with a header matching a complex regular
> expression identifing where = character does not occur
> in the first key=value pair, as in the following syntax;
> [Proxy-]Authorization: Digest key[,key=value]
>
> Credit:
> The Apache HTTP Server security team would like to thank Robert Święcki
> for reporting this issue.
>
> References:
> https://httpd.apache.org/security_report.html
>