On Fri, Aug 26, 2022 at 09:07:06PM +0200, Salvatore Bonaccorso wrote: > The following vulnerability was published for libapreq2. > > CVE-2022-22728[0]: > | A flaw in Apache libapreq2 versions 2.16 and earlier could cause a > | buffer overflow while processing multipart form uploads. A remote > | attacker could send a request causing a process crash which could lead > | to a denial of service attack.
Based on the description, I assume it is this one: http://svn.apache.org/viewvc?view=revision&revision=1866760 I'm not sure if it counts as “buffer overflow”, but given that it only mentions DoS and not arbitrary code execution, NULL pointer dereference looks a lot like it. 2.13 appears vulnerable to me, given the description. I don't use libapreq2 anymore, so anyone wanting to pick up the package would be more than welcome. Upstream homepage is now seemingly at: https://httpd.apache.org/apreq/ /* Steinar */ -- Homepage: https://www.sesse.net/