Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

apache2: CVE-2017-9788

Related Vulnerabilities: CVE-2017-9788  

Source

Debian Bug report logs - #868467
apache2: CVE-2017-9788

version graph

Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 15 Jul 2017 19:27:01 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version apache2/2.4.10-10

Fixed in versions apache2/2.4.25-3+deb9u2, apache2/2.4.10-10+deb8u10, apache2/2.4.27-1

Done: Stefan Fritsch <sf@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#868467; Package src:apache2. (Sat, 15 Jul 2017 19:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>. (Sat, 15 Jul 2017 19:27:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2: CVE-2017-9788
Date: Sat, 15 Jul 2017 21:26:25 +0200
Source: apache2
Version: 2.4.10-10
Severity: important
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for apache2.

CVE-2017-9788[0]:
| In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value
| placeholder in [Proxy-]Authorization headers of type 'Digest' was not
| initialized or reset before or between successive key=value
| assignments by mod_auth_digest. Providing an initial key with no '='
| assignment could reflect the stale value of uninitialized pool memory
| used by the prior request, leading to leakage of potentially
| confidential information, and a segfault in other cases resulting in
| denial of service.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9788
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788

Regards,
Salvatore

Reply sent to Stefan Fritsch <sf@debian.org>:
You have taken responsibility. (Sun, 16 Jul 2017 09:21:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 16 Jul 2017 09:21:06 GMT) (full text, mbox, link).

Message #10 received at 868467-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>
To: 868467-close@bugs.debian.org
Subject: Bug#868467: fixed in apache2 2.4.27-1
Date: Sun, 16 Jul 2017 09:19:08 +0000
Source: apache2
Source-Version: 2.4.27-1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868467@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Jul 2017 10:39:15 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg
Architecture: source amd64 all
Version: 2.4.27-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
Closes: 851094 868467
Changes:
 apache2 (2.4.27-1) unstable; urgency=medium
 .
   [ New upstream release ]
   * Fix CVE-2017-9788: mod_auth_digest: Uninitialized memory reflection
     Closes: #868467
 .
   [ Stefan Fritsch ]
   * Switch to openssl 1.1. Closes: #851094
Checksums-Sha1:
 4c9929738607878e8b122fd50649339fdf1fea73 2942 apache2_2.4.27-1.dsc
 699e4e917e8fb5fd7d0ce7e009f8256ed02ec6fc 6527394 apache2_2.4.27.orig.tar.bz2
 9d90a728b8f2becb22f37758e3b3cd17ac53ff00 694008 apache2_2.4.27-1.debian.tar.xz
 d4fa9abae9086b40540f3bdde6a02c1b89c0c7b8 1192060 apache2-bin_2.4.27-1_amd64.deb
 5bce059d1e04e6e72f1e0aabc193ea387e6c0318 162236 apache2-data_2.4.27-1_all.deb
 dfb51121d41b243d0e9a725a5fc68e32bc42aa28 3963208 apache2-dbg_2.4.27-1_amd64.deb
 cbb3be675d7bcf47f024f0413081cd29651827ef 317144 apache2-dev_2.4.27-1_amd64.deb
 30c3d3a223bf85f051bf465678ade249d979fcf1 3820334 apache2-doc_2.4.27-1_all.deb
 9dbc9b2d5b209f02e381037a4bf6e1c09cfe18ff 2250 apache2-ssl-dev_2.4.27-1_amd64.deb
 e3ad58007884abfcfb11f5f79a2130f3e2c03da7 158384 apache2-suexec-custom_2.4.27-1_amd64.deb
 7257c19b0df9664923803ef61087725f4a229103 156880 apache2-suexec-pristine_2.4.27-1_amd64.deb
 9b2a6b212823e296d0b9ccb883f90ce656761fc7 220232 apache2-utils_2.4.27-1_amd64.deb
 b82752e0743674f14b6fec1622f28fb84108043c 9616 apache2_2.4.27-1_amd64.buildinfo
 09229ef8a787e9f7c482e9ee00318905d947ac8a 238966 apache2_2.4.27-1_amd64.deb
Checksums-Sha256:
 5d3a4cdfe6dcaf484e2caf1ff0badc3dc685158f36cdafe4b19398341e6dd0bf 2942 apache2_2.4.27-1.dsc
 71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a 6527394 apache2_2.4.27.orig.tar.bz2
 2ad01a1884005e1ee3bd26075e9cba32ca8195e48b37360fb75b050992cb5e34 694008 apache2_2.4.27-1.debian.tar.xz
 f0698baeaaaabdfc8de46d9f1a360239656de853a9c80f7a3dabadfe70121f29 1192060 apache2-bin_2.4.27-1_amd64.deb
 b55e54cfeb3559cb76f83b2a71c4b8114ade59fa1d1a0eb8f4422608dcdeb6e1 162236 apache2-data_2.4.27-1_all.deb
 10d2eeb6cdf76ee08fb7fafcaa0f1e4dbe2fd9110ea7ec324dcbd8d33789e448 3963208 apache2-dbg_2.4.27-1_amd64.deb
 092a099f43bf3f7b17438f1294131555f47a65e4a331adc9b39cb317f792226b 317144 apache2-dev_2.4.27-1_amd64.deb
 5e94b656ab141bb8a62b683f4a6266b64e7f6190d15c41ae81b68081e93396fd 3820334 apache2-doc_2.4.27-1_all.deb
 376ae443f36d9749525729fcdd2d934b7ff1e903a1b0da001d516853b12a2385 2250 apache2-ssl-dev_2.4.27-1_amd64.deb
 fdc2d1e39e580660eda766cd0aac9734d954bef1d1c7097707ca39f89f56558a 158384 apache2-suexec-custom_2.4.27-1_amd64.deb
 aa9b44c460daf4d2c0d12d95edd619210e59781d49db8b71d7b6914b5f488251 156880 apache2-suexec-pristine_2.4.27-1_amd64.deb
 c53959f16d353392e97cbd3b7ed36861f427f731bce8af82d4cac01badbe6e5c 220232 apache2-utils_2.4.27-1_amd64.deb
 3e43c4838be1503380aa0438542409921eeb36280971aa52d4d798e682cd92d4 9616 apache2_2.4.27-1_amd64.buildinfo
 73ac0f7def1b98ca005ddfdc19c34d1a94102d2d169b261a3fcb4906cb0d73f9 238966 apache2_2.4.27-1_amd64.deb
Files:
 1f4f6143e9ed2137c03fce1dc9d2cbc4 2942 httpd optional apache2_2.4.27-1.dsc
 97b6bbfa83c866dbe20ef317e3afd108 6527394 httpd optional apache2_2.4.27.orig.tar.bz2
 b3fc2f557c1abbcc5ac708910fa64d6c 694008 httpd optional apache2_2.4.27-1.debian.tar.xz
 7e8b4fa889670987c53c0a176c45d9ab 1192060 httpd optional apache2-bin_2.4.27-1_amd64.deb
 b279b3c5d5f3350da9e614d174265cd4 162236 httpd optional apache2-data_2.4.27-1_all.deb
 84f8e6cf8184e568503d1103d259b40f 3963208 debug extra apache2-dbg_2.4.27-1_amd64.deb
 b39ffb338e08a0b23b5ad5510169dfb1 317144 httpd optional apache2-dev_2.4.27-1_amd64.deb
 5b50724834cb61afa8087415c8596690 3820334 doc optional apache2-doc_2.4.27-1_all.deb
 1a4241995993b0554d50730d8af83a6b 2250 httpd optional apache2-ssl-dev_2.4.27-1_amd64.deb
 0a49ff3a44e2f33b37c089275eac6598 158384 httpd extra apache2-suexec-custom_2.4.27-1_amd64.deb
 0b9be88171083aa54b77d2b2eee9ec53 156880 httpd optional apache2-suexec-pristine_2.4.27-1_amd64.deb
 90fb1110cbdb6556f2b1edc435566c3f 220232 httpd optional apache2-utils_2.4.27-1_amd64.deb
 1c4536020654e79e9cb76b3f99ba931b 9616 httpd optional apache2_2.4.27-1_amd64.buildinfo
 36399e3019a037b2073720b94e641249 238966 httpd optional apache2_2.4.27-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAllrLGsACgkQxodfNUHO
/eBiWBAAtHiYHFZ1h5VfnPbKZTgmmRmcMx3rfL9yrrmBzX5Ba/hDaQtkfRaBmJAE
RQrx+jU7lGzgkCUkvFc5c/SvbFJmXnbKd+bgnJbCNuWq5ScV6Ax7nDbKx8bqePp0
Kg0dg+lc8EQWkge3/V4a5CYYzmSZ72zuJNmvB4JB829fES1WzIIY+FrTHeCYe2Aa
0wDYZ1vA1my0YdvfScnzqvzS2caLAXnRZ3qLa2hAv60sOGfx3td0xETISreGqG5f
OEFxkGIdPb7z68c25SQMIP7kqE3mH/4Nx1L0sgIwMZShZ9MW23UdRSVFjm/+a/mb
gCfwt0yG6dzqEgCFTo5bPHkd5eVjb+/fJmn4a5EjHnpl26wOpd3ZQWACfNyY5EVM
Q2gR1ZV5FW93/nyIpVRvXrT2Fu5EwuB5LylMSiMzVd4/b6AtM2VF/3F2l2/+XV9F
XzSwjnxa4D1OX5MHiDMmFhp7CE7kZO2O+KK0Z581PyM0zUrwu3ekQqIvln9Rkd5C
LSHyc3DZz21H44RqLZTicneX8xXUgHsXLr95AjdEEHIwdat0HGpy6dQS1CaRI6AA
TvkH7XFpm+6I4u95sIUwSX8rLCyHcNbmT4mpL6E1n4Sc55OzcI9abwGS1bhya8rl
aYOhLbxoo9NVaSlRru/W0ZMdfFiGZFlkswGPuWrVhDMhuUDCwHA=
=xKws
-----END PGP SIGNATURE-----

Marked as fixed in versions apache2/2.4.10-10+deb8u10. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 18 Jul 2017 19:15:02 GMT) (full text, mbox, link).

Marked as fixed in versions apache2/2.4.25-3+deb9u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 18 Jul 2017 19:15:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 04 Sep 2017 07:30:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:16:10 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started