The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault. Affected are all versions through 2.2.33 and 2.4.26. External References: https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34 https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1470756]
Patch: http://svn.apache.org/viewvc?view=revision&revision=1800919
Mitigation: If you do not use digest authentication, do not load the "auth_digest_module". For example, on RHEL 7, this can be done by commenting out or removing the "LoadModule auth_digest_module modules/mod_auth_digest.so" line within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service. You can then use the "httpd -t -D DUMP_MODULES" command to verify that the module is no longer loaded.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:2478 https://access.redhat.com/errata/RHSA-2017:2478
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2479
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2017:2708 https://access.redhat.com/errata/RHSA-2017:2708
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:2709 https://access.redhat.com/errata/RHSA-2017:2709
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:2710 https://access.redhat.com/errata/RHSA-2017:2710
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Extended Update Support Via RHSA-2017:3193 https://access.redhat.com/errata/RHSA-2017:3193
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2017:3195 https://access.redhat.com/errata/RHSA-2017:3195
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Extended Update Support Via RHSA-2017:3194 https://access.redhat.com/errata/RHSA-2017:3194
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3239 https://access.redhat.com/errata/RHSA-2017:3239
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:3240 https://access.redhat.com/errata/RHSA-2017:3240