Return-Path: <dev-return-89944-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 26104200CD6
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 17 Jul 2017 07:50:11 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 245ED164213; Mon, 17 Jul 2017 05:50:11 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 4471716420C
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 17 Jul 2017 07:50:10 +0200 (CEST)
Received: (qmail 43668 invoked by uid 500); 17 Jul 2017 05:50:06 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 43648 invoked by uid 99); 17 Jul 2017 05:50:06 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Jul 2017 05:50:06 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 9EC101A0442;
	Mon, 17 Jul 2017 05:50:05 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 2.629
X-Spam-Level: **
X-Spam-Status: No, score=2.629 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=2,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id xFwZtlWIN56m; Mon, 17 Jul 2017 05:50:04 +0000 (UTC)
Received: from mail-yw0-f178.google.com (mail-yw0-f178.google.com [209.85.161.178])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 4A43961067;
	Mon, 17 Jul 2017 05:50:04 +0000 (UTC)
Received: by mail-yw0-f178.google.com with SMTP id x125so43556267ywa.0;
        Sun, 16 Jul 2017 22:50:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=43SLedO7JAjlOgWSJzmrXp7aFVcjjjYrulKOxGLscLY=;
        b=o2wrr2yNSXxEAekbs4NR9skuSdXgnHPwUQqpFUMh2hZ7/Cw/a51qS89mUoEch7gU4T
         mOdxD+W79pDwR4tx2jBbN+IhUcpqqp6KvDMG0olYWMxtHTFGgeOHA4bAfUw8JwKeIeZl
         mAjKwq5s8vrEVUYdQa2Y6PAOPgEf0GQflj8M4Y+FL7DlD2NQmeBMU326Pa/A8HWIEmc+
         FU5kp1MyutgB8KnMhIGW6k+megdiv00NasUi6TQzZhE0Cev9/XRkHI2IEyN9IxKVGv9Y
         og9DlVEzczx8VlzkmKEa5ZZOOGv15eml3MZT2WDDiXZVcBUfCcLSrOKgLxObHR7CpZe0
         MHcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=43SLedO7JAjlOgWSJzmrXp7aFVcjjjYrulKOxGLscLY=;
        b=DP5UKUl654/5tXLCx3cfylRLyrn+WVID7wTkmeE/kv5TA+9cu+yA26I8dH9/1VnPy2
         3C1gDzAXRFAC3p/WLe+mH9WFtsPoLBtHYTTvB3KDQtKbbfpOhRNLoegfMCy2HJftpCye
         voaINcE7gtnG4x9Tny6jLELQ1y/F3dfvq68yvpxG2SZ9wr1BB3AcA1fnwTQgihT/6Wwg
         eLSYIeJCpEqVRLWduzFDsElc5OPX4Ww5LGFYSV0mfW0o8JoG0N0GWQlRg0lPmPKq8Gp7
         cVrh3/oOUqEDVPhb27cxW/+1AxoSBmNwg/9ZR5ZZbMqkHZPHAhzCFL1oZ7lsOcQND17t
         P1rQ==
X-Gm-Message-State: AIVw110lW5+scSXbE0q7tJ2fPmc+n1IBd8hwKfKBdbexbZ9OJ6kLr66N
	a7ONDudcpitutmv3HRZ7tZPkxRAbOQ==
X-Received: by 10.129.200.7 with SMTP id n7mr16034142ywi.115.1500270603610;
 Sun, 16 Jul 2017 22:50:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.40.68 with HTTP; Sun, 16 Jul 2017 22:50:03 -0700 (PDT)
In-Reply-To: <CACsi250HCNHr3SYRpaZ7byt1aBowLoeig1bYK2DYpK=Q58Cb2A@mail.gmail.com>
References: <CACsi250HCNHr3SYRpaZ7byt1aBowLoeig1bYK2DYpK=Q58Cb2A@mail.gmail.com>
From: Rashmi Srinivasan <rashmisrinivasan2007@gmail.com>
Date: Mon, 17 Jul 2017 11:20:03 +0530
Message-ID: <CA+ckEMJspTCtgOn+_u8JNS1T9usM_FVroQRrpvfq6stA7vf54A@mail.gmail.com>
Subject: Re: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
To: dev@httpd.apache.org
Cc: users@httpd.apache.org
Content-Type: multipart/alternative; boundary="089e0821eb4065334805547cf83b"
archived-at: Mon, 17 Jul 2017 05:50:11 -0000

--089e0821eb4065334805547cf83b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Please can you point us to the patch for this CVE?

regards,
Rashmi

On Thu, Jul 13, 2017 at 6:32 PM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

> CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> all versions through 2.2.33 and 2.4.26
>
> Description:
> The value placeholder in [Proxy-]Authorization headers
> of type 'Digest' was not initialized or reset
> before or between successive key=3Dvalue assignments.
> by mod_auth_digest
> Providing an initial key with no '=3D' assignment
> could reflect the stale value of uninitialized pool
> memory used by the prior request, leading to leakage
> of potentially confidential information, and a segfault
>
> Mitigation:
> All users of httpd should upgrade to 2.4.27 (or minimally
> 2.2.34, which will receive no further security releases.)
> Alternately, the administrator could configure httpd to
> reject requests with a header matching a complex regular
> expression identifing where =3D character does not occur
> in the first key=3Dvalue pair, as in the following syntax;
> [Proxy-]Authorization: Digest key[,key=3Dvalue]
>
> Credit:
> The Apache HTTP Server security team would like to thank Robert =C5=9Awi=
=C4=99cki
> for reporting this issue.
>
> References:
> https://httpd.apache.org/security_report.html
>

--089e0821eb4065334805547cf83b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi,</div><div><br></div>Please can you point us to th=
e patch for this CVE?<div><br></div><div>regards,</div><div>Rashmi</div></d=
iv><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Thu, Jul 13=
, 2017 at 6:32 PM, William A Rowe Jr <span dir=3D"ltr">&lt;<a href=3D"mailt=
o:wrowe@rowe-clan.net" target=3D"_blank">wrowe@rowe-clan.net</a>&gt;</span>=
 wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor=
der-left:1px #ccc solid;padding-left:1ex">CVE-2017-9788: Uninitialized memo=
ry reflection in mod_auth_digest<br>
<br>
Severity: Important<br>
<br>
Vendor: The Apache Software Foundation<br>
<br>
Versions Affected:<br>
all versions through 2.2.33 and 2.4.26<br>
<br>
Description:<br>
The value placeholder in [Proxy-]Authorization headers<br>
of type &#39;Digest&#39; was not initialized or reset<br>
before or between successive key=3Dvalue assignments.<br>
by mod_auth_digest<br>
Providing an initial key with no &#39;=3D&#39; assignment<br>
could reflect the stale value of uninitialized pool<br>
memory used by the prior request, leading to leakage<br>
of potentially confidential information, and a segfault<br>
<br>
Mitigation:<br>
All users of httpd should upgrade to 2.4.27 (or minimally<br>
2.2.34, which will receive no further security releases.)<br>
Alternately, the administrator could configure httpd to<br>
reject requests with a header matching a complex regular<br>
expression identifing where =3D character does not occur<br>
in the first key=3Dvalue pair, as in the following syntax;<br>
[Proxy-]Authorization: Digest key[,key=3Dvalue]<br>
<br>
Credit:<br>
The Apache HTTP Server security team would like to thank Robert =C5=9Awi=C4=
=99cki<br>
for reporting this issue.<br>
<br>
References:<br>
<a href=3D"https://httpd.apache.org/security_report.html" rel=3D"noreferrer=
" target=3D"_blank">https://httpd.apache.org/<wbr>security_report.html</a><=
br>
</blockquote></div><br></div>

--089e0821eb4065334805547cf83b--