On Mon, Jan 2, 2023 at 7:43 PM Joe Schaefer <j...@sunstarsys.com> wrote: > 2.17 is a dud. What’s in trunk works fine though.
Ah, I didn't realize. Should we wait until 2.18 is out before making any recommendations to users? Arnout > ________________________________ > From: enge...@gsuite.cloud.apache.org <enge...@gsuite.cloud.apache.org> on > behalf of Apache Security Team <secur...@apache.org> > Sent: Monday, January 2, 2023 7:30:43 AM > To: dev@httpd.apache.org <dev@httpd.apache.org> > Cc: Apache Security Team <secur...@apache.org> > Subject: Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory > corruption > > Hi, > > I noticed there was some confusion online as to whether this issue is > fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4). > > Unless anyone objects I'll amend the CVE text to make it explicit that > users are recommended to update to 2.17 or later. > > Luckily with the new CVE format the version ranges are more explicit, > so this kind of confusion is less likely to occur again. > > > Kind regards, > > Arnout > > On Thu, Aug 25, 2022 at 4:09 PM Joe Orton <jor...@apache.org> wrote: > > > > Severity: important > > > > Description: > > > > A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow > > while processing multipart form uploads. A remote attacker could send a > > request causing a process crash which could lead to a denial of service > > attack. > >