{"id":"MGASA-2017-0298","summary":"Updated apache packages fix security vulnerabilities","details":"In Apache httpd before 2.4.27, the value placeholder in\n[Proxy-]Authorization headers of type 'Digest' was not initialized or\nreset before or between successive key=value assignments by\nmod_auth_digest. Providing an initial key with no '=' assignment could\nreflect the stale value of uninitialized pool memory used by the prior\nrequest, leading to leakage of potentially confidential information, and\na segfault in other cases resulting in denial of service\n(CVE-2017-9788).\n\nWhen under stress, closing many connections, the HTTP/2 handling code in\nApache httpd 2.4.26 would sometimes access memory after it has been\nfreed, resulting in potentially erratic behavior (CVE-2017-9789).\n","modified":"2026-04-16T06:25:06.322269688Z","published":"2017-08-24T07:52:24Z","upstream":["CVE-2017-9788","CVE-2017-9789"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0298.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=21500"},{"type":"WEB","url":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"type":"WEB","url":"http://www.apache.org/dist/httpd/Announcement2.4.html"}],"affected":[{"package":{"name":"apache","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/apache?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.27-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0298.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}