2.17 is a dud. What’s in trunk works fine though. Joe Schaefer, Ph.D <j...@sunstarsys.com> +1 (954) 253-3732 SunStar Systems, Inc. Orion - The Enterprise Jamstack Wiki
________________________________ From: enge...@gsuite.cloud.apache.org <enge...@gsuite.cloud.apache.org> on behalf of Apache Security Team <secur...@apache.org> Sent: Monday, January 2, 2023 7:30:43 AM To: dev@httpd.apache.org <dev@httpd.apache.org> Cc: Apache Security Team <secur...@apache.org> Subject: Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption Hi, I noticed there was some confusion online as to whether this issue is fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4). Unless anyone objects I'll amend the CVE text to make it explicit that users are recommended to update to 2.17 or later. Luckily with the new CVE format the version ranges are more explicit, so this kind of confusion is less likely to occur again. Kind regards, Arnout On Thu, Aug 25, 2022 at 4:09 PM Joe Orton <jor...@apache.org> wrote: > > Severity: important > > Description: > > A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow > while processing multipart form uploads. A remote attacker could send a > request causing a process crash which could lead to a denial of service > attack. >
