CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
all versions through 2.2.33 and 2.4.26

The value placeholder in [Proxy-]Authorization headers
of type Digest was not initialized or reset
before or between successive key=3Dvalue assignments.
by mod_auth_digest
Providing an initial key with no =3D assignment
could reflect the stale value of uninitialized pool
memory used by the prior request, leading to leakage
of potentially confidential information, and a segfault

All users of httpd should upgrade to 2.4.27 (or minimally
2.2.34, which will receive no further security releases.)
Alternately, the administrator could configure httpd to
reject requests with a header matching a complex regular
expression identifing where =3D character does not occur
in the first key=3Dvalue pair, as in the following syntax;
[Proxy-]Authorization: Digest key[,key=3Dvalue]

The Apache HTTP Server security team would like to thank Robert =C5=9Awi=C4=
for reporting this issue.