Hi, Please can you point us to the patch for this CVE?
regards, Rashmi On Thu, Jul 13, 2017 at 6:32 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > all versions through 2.2.33 and 2.4.26 > > Description: > The value placeholder in [Proxy-]Authorization headers > of type 'Digest' was not initialized or reset > before or between successive key=value assignments. > by mod_auth_digest > Providing an initial key with no '=' assignment > could reflect the stale value of uninitialized pool > memory used by the prior request, leading to leakage > of potentially confidential information, and a segfault > > Mitigation: > All users of httpd should upgrade to 2.4.27 (or minimally > 2.2.34, which will receive no further security releases.) > Alternately, the administrator could configure httpd to > reject requests with a header matching a complex regular > expression identifing where = character does not occur > in the first key=value pair, as in the following syntax; > [Proxy-]Authorization: Digest key[,key=value] > > Credit: > The Apache HTTP Server security team would like to thank Robert Święcki > for reporting this issue. > > References: > https://httpd.apache.org/security_report.html >
