Your message dated Fri, 30 Dec 2022 14:40:46 +0000 with message-id <e1pbgyw-00avag...@fasolo.debian.org> and subject line Bug#1018191: fixed in libapreq2 2.17-1 has caused the Debian Bug report #1018191, regarding libapreq2: CVE-2022-22728: multipart form parse memory corruption to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1018191: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018191 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libapreq2 Version: 2.13-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libapreq2. CVE-2022-22728[0]: | A flaw in Apache libapreq2 versions 2.16 and earlier could cause a | buffer overflow while processing multipart form uploads. A remote | attacker could send a request causing a process crash which could lead | to a denial of service attack. It has been asked in [2] if there is an isolated patch or upstream issue as reference as there are not much details on the CVE. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-22728 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22728 [1] https://www.openwall.com/lists/oss-security/2022/08/25/3 [2] https://www.openwall.com/lists/oss-security/2022/08/26/4 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libapreq2 Source-Version: 2.17-1 Done: Tobias Frost <t...@debian.org> We believe that the bug you reported is fixed in the latest version of libapreq2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1018...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tobias Frost <t...@debian.org> (supplier of updated libapreq2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 30 Dec 2022 13:17:29 +0100 Source: libapreq2 Architecture: source Version: 2.17-1 Distribution: unstable Urgency: medium Maintainer: Debian QA Group <packa...@qa.debian.org> Changed-By: Tobias Frost <t...@debian.org> Closes: 1018191 1027314 1027316 Changes: libapreq2 (2.17-1) unstable; urgency=medium . * QA upload. * Orphaning package as per maintainer request. Thanks to Steinar for their past work on the package! * Add VCS-* pointing to salsa.debian.org * New upstream release, fixes CVE-2022-22728, Closes: #1018191. * drop 05-nested-multipart-null-dereference.patch and annotate d/changelog for 2.13-6 with the CVE it fixes. * Add watch file, Closes: #1027314. * Add homepage field to d/control. Closes: #1027316. Checksums-Sha1: 389d2472dfe5a1ae030ea76b9e963e96a8164ada 2297 libapreq2_2.17-1.dsc db8ffc92e7e0210ec6265139d5df4a388b25d783 849867 libapreq2_2.17.orig.tar.gz dd26896ce9c59454ef93cb83d40ba0bab8f4b4d7 8792 libapreq2_2.17-1.debian.tar.xz cbdeed67e8a1ca31d23b93672ee71d10c09a3ba1 10395 libapreq2_2.17-1_amd64.buildinfo Checksums-Sha256: 512accaa124eb745b9debfeeabe816548da5ba2d62edbdff5860090164777bc9 2297 libapreq2_2.17-1.dsc 046487f084c12fa1c822affc5f7de56efed9b48905a426e631a6b949c114d86c 849867 libapreq2_2.17.orig.tar.gz dff81d0d67157cab1752816173179443ca478cb35d30a28c3acd8e1f027f284a 8792 libapreq2_2.17-1.debian.tar.xz e7c9a47a5fc7a639d751acac11a1db5e8132ff59e3f459b9ced1435592a203cb 10395 libapreq2_2.17-1_amd64.buildinfo Files: 0275e67e93d6fed020745208738c82a6 2297 perl optional libapreq2_2.17-1.dsc 41cd2091aa5b5560858566a74b1346f2 849867 perl optional libapreq2_2.17.orig.tar.gz 9b9bdc757bc72d109bb392ebbba2751b 8792 perl optional libapreq2_2.17-1.debian.tar.xz 7f1ea17831d4ace7973b7a480a7a12b3 10395 perl optional libapreq2_2.17-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmOu2KwACgkQkWT6HRe9 XTbU4Q/9H40Y1jV1D4qMhgSwq13Afhqj5xz0QQvtxYjB9l08DlCMSyxCXCE7ZhwN zUvkEa2FRsXh4XxoB6Z3U+KNQlP4qiJiLU9foL+CXmJNCH9LqeTgODJArjkBF6HH eamyI5OdF+QS9xSgwIhBaBu0Wtx5iiuoiuxkSMylcWUN6bZraKXbcV2tXzdmXHv6 u91CS5LI3ZWuJvtBmplr5Oz43MySvPJO3RIoV1Ko1aB4hLeivFqZ/8mo49LKHFZB qFnp7v3teP2s2Ap39pRWrmcIJR5X2DJIqAUs7kwqLGyhZtenW3jy3DwLtaf/fNkw PZtFtRUda4zlGjgtUbygtXD9xFOlJ/0co961ruzABKMl/n1XNd2S95FZF7yZ4tCs JdsbM3INUrRU1Nf6MfIVzEaowxRb5ZelA1uASG4mRuecZPOdn79EJ6t+/wI3YPh8 pRaJWeK6eF+AGeuApjmiY37d23E4T+jUTnatqn1EQlfXaATAdSCdd15Vi4tLQGA1 BOO35KK5nwY4r1RdNQr0mGVzxxDrGT0tntvE1uWNzPgEk3NfoV5xXYt3i9vSFWdX MeS18C7n2FdEbFWJ1XMZtKhBU6AlbOUUfE7PS9rEZsuZkK80xbOVkWUGt5FueuYa 73aFmO9knuh7lpGSS37lhkQz5LkGhs1+pqJyF217gX3e1ayVXEA= =yAcR -----END PGP SIGNATURE-----
--- End Message ---
