Apache2 security update for Debian 7 LTS
Posted on: 07/17/2017 02:06 PM

An Apache2 security update has been released for Debian GNU/Linux 7 LTS

Package : apache2
Version : 2.2.22-13+deb7u10
CVE ID : CVE-2017-9788
Debian Bug : #868467

Robert Święcki discovered that the value placeholder in [Proxy-]Authorization
Digest headers were not initialized or reset before or between successive
key=value assignments in Apache 2's mod_auth_digest module

Providing an initial key with no '=' assignment could reflect the stale value
of uninitialized pool memory used by the prior request leading to leakage of
potentially confidential information and a segfault.

For Debian 7 "Wheezy", this issue has been fixed in apache2 version
2.2.22-13+deb7u10.

We recommend that you upgrade your apache2 packages.



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/apache2_security_update_for_debian_7_lts.html)