Date: Thu, 13 Jul 2017 08:01:53 -0500 From: William A Rowe Jr <wrowe@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest Severity: Important Vendor: The Apache Software Foundation Versions Affected: all versions through 2.2.33 and 2.4.26 Description: The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault Mitigation: All users of httpd should upgrade to 2.4.27 (or minimally 2.2.34, which will receive no further security releases.) Alternately, the administrator could configure httpd to reject requests with a header matching a complex regular expression identifing where = character does not occur in the first key=value pair, as in the following syntax; [Proxy-]Authorization: Digest key[,key=value] Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.