Bugzilla – Bug 1048576
VUL-0: CVE-2017-9788: apache2: Uninitialized memory reflection in mod_auth_digest
Last modified: 2019-07-18 06:46:06 UTC
CVE-2017-9788 CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest From: William A Rowe Jr <wrowe () apache org> Date: Thu, 13 Jul 2017 08:01:53 -0500 CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest Severity: Important Vendor: The Apache Software Foundation Versions Affected: all versions through 2.2.33 and 2.4.26 Description: The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault Mitigation: All users of httpd should upgrade to 2.4.27 (or minimally 2.2.34, which will receive no further security releases.) Alternately, the administrator could configure httpd to reject requests with a header matching a complex regular expression identifing where = character does not occur in the first key=value pair, as in the following syntax; [Proxy-]Authorization: Digest key[,key=value] Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html http://seclists.org/oss-sec/2017/q3/127
2.4.x commit https://svn.apache.org/viewvc?view=revision&revision=1800955 2.2.x commit https://svn.apache.org/viewvc?view=revision&revision=1800962
Packages was submitted to 10sp3/apache2 and 12sp2/apache2. 11sp1/apache2 will be fixed by version update to 2.2.34 (sr#135939).
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-08-08. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63793
SUSE-SU-2017:1961-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1023616,1043055,1048576 CVE References: CVE-2017-9788 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): apache2-2.4.23-29.3.2 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): apache2-2.4.23-29.3.2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): apache2-2.4.23-29.3.2 SUSE Linux Enterprise Server 12-SP3 (src): apache2-2.4.23-29.3.2 SUSE Linux Enterprise Server 12-SP2 (src): apache2-2.4.23-29.3.2
SUSE-SU-2017:1997-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1041830,1048576,951692 CVE References: CVE-2017-9788 Sources used: SUSE Studio Onsite 1.3 (src): apache2-2.2.34-70.5.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): apache2-2.2.34-70.5.1 SUSE Linux Enterprise Server 11-SP4 (src): apache2-2.2.34-70.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): apache2-2.2.34-70.5.1
openSUSE-SU-2017:2016-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1023616,1043055,1048576 CVE References: CVE-2017-9788 Sources used: openSUSE Leap 42.3 (src): apache2-2.4.23-13.1 openSUSE Leap 42.2 (src): apache2-2.4.23-8.9.1
This is reading uninitialized memory from a memory pool. Crash will only happen if there is no \0 before the end, so it will run into a non-present PAGE. So: - information leak out of this pool - potential crash when there is no \0 before the next unmapped page.
The uninitialized memory is not directly returned to the user, but e.g. the "uri=" would be written into the error page.
Packages submitted.
SUSE-SU-2017:2449-1: An update that solves four vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 1035829,1041830,1043484,1043607,1045060,1045062,1045065,1048576 CVE References: CVE-2017-3167,CVE-2017-3169,CVE-2017-7679,CVE-2017-9788 Sources used: SUSE OpenStack Cloud 6 (src): apache2-2.4.16-20.10.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): apache2-2.4.16-20.10.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): apache2-2.4.16-20.10.1
Has this patch been made available for SLES 11 sp3 LTSS customers?
Not yet, it is however queued in QA.
SUSE-SU-2017:2756-1: An update that solves 5 vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1035829,1041830,1045060,1045062,1045065,1048576,1058058,980663 CVE References: CVE-2017-3167,CVE-2017-3169,CVE-2017-7679,CVE-2017-9788,CVE-2017-9798 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): apache2-2.4.10-14.28.1
released