Debian 9899 Published by

An Apache2 security update has been released for Debian GNU/Linux 7 LTS

Package : apache2
Version : 2.2.22-13+deb7u10
CVE ID : CVE-2017-9788
Debian Bug : #868467

Robert Święcki discovered that the value placeholder in [Proxy-]Authorization
Digest headers were not initialized or reset before or between successive
key=value assignments in Apache 2's mod_auth_digest module

Providing an initial key with no '=' assignment could reflect the stale value
of uninitialized pool memory used by the prior request leading to leakage of
potentially confidential information and a segfault.

For Debian 7 "Wheezy", this issue has been fixed in apache2 version

We recommend that you upgrade your apache2 packages.