[SECURITY] [DSA 3913-1] apache2 security update

2017-07-1820:22:26

lists.debian.org

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

JSON

Debian Security Advisory DSA-3913-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
July 18, 2017 https://www.debian.org/security/faq

Package : apache2
CVE ID : CVE-2017-9788
Debian Bug : 868467

Robert Swiecki reported that mod_auth_digest does not properly
initialize or reset the value placeholder in [Proxy-]Authorization
headers of type 'Digest' between successive key=value assignments,
leading to information disclosure or denial of service.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.4.10-10+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 2.4.25-3+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.4.27-1.

We recommend that you upgrade your apache2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8ppc64elapache2.2-common< 2.4.10-10+deb8u10apache2.2-common_2.4.10-10+deb8u10_ppc64el.deb
Debian7armelapache2.2-common< 2.2.22-13+deb7u10apache2.2-common_2.2.22-13+deb7u10_armel.deb
Debian8amd64apache2-mpm-prefork< 2.4.10-10+deb8u10apache2-mpm-prefork_2.4.10-10+deb8u10_amd64.deb
Debian8mipselapache2-mpm-event< 2.4.10-10+deb8u10apache2-mpm-event_2.4.10-10+deb8u10_mipsel.deb
Debian8mipsapache2-mpm-event< 2.4.10-10+deb8u10apache2-mpm-event_2.4.10-10+deb8u10_mips.deb
Debian7armhfapache2-threaded-dev< 2.2.22-13+deb7u10apache2-threaded-dev_2.2.22-13+deb7u10_armhf.deb
Debian8i386apache2.2-common< 2.4.10-10+deb8u10apache2.2-common_2.4.10-10+deb8u10_i386.deb
Debian9armhfapache2-suexec-pristine< 2.4.25-3+deb9u2apache2-suexec-pristine_2.4.25-3+deb9u2_armhf.deb
Debian7amd64apache2-mpm-worker< 2.2.22-13+deb7u10apache2-mpm-worker_2.2.22-13+deb7u10_amd64.deb
Debian8mipsellibapache2-mod-proxy-html< 2.4.10-10+deb8u10libapache2-mod-proxy-html_2.4.10-10+deb8u10_mipsel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	ppc64el	apache2.2-common	< 2.4.10-10+deb8u10	apache2.2-common_2.4.10-10+deb8u10_ppc64el.deb
Debian	7	armel	apache2.2-common	< 2.2.22-13+deb7u10	apache2.2-common_2.2.22-13+deb7u10_armel.deb
Debian	8	amd64	apache2-mpm-prefork	< 2.4.10-10+deb8u10	apache2-mpm-prefork_2.4.10-10+deb8u10_amd64.deb
Debian	8	mipsel	apache2-mpm-event	< 2.4.10-10+deb8u10	apache2-mpm-event_2.4.10-10+deb8u10_mipsel.deb
Debian	8	mips	apache2-mpm-event	< 2.4.10-10+deb8u10	apache2-mpm-event_2.4.10-10+deb8u10_mips.deb
Debian	7	armhf	apache2-threaded-dev	< 2.2.22-13+deb7u10	apache2-threaded-dev_2.2.22-13+deb7u10_armhf.deb
Debian	8	i386	apache2.2-common	< 2.4.10-10+deb8u10	apache2.2-common_2.4.10-10+deb8u10_i386.deb
Debian	9	armhf	apache2-suexec-pristine	< 2.4.25-3+deb9u2	apache2-suexec-pristine_2.4.25-3+deb9u2_armhf.deb
Debian	7	amd64	apache2-mpm-worker	< 2.2.22-13+deb7u10	apache2-mpm-worker_2.2.22-13+deb7u10_amd64.deb
Debian	8	mipsel	libapache2-mod-proxy-html	< 2.4.10-10+deb8u10	libapache2-mod-proxy-html_2.4.10-10+deb8u10_mipsel.deb