2.17 is a dud. What’s in trunk works fine though.
Joe Schaefer, Ph.D
+1 (954) 253-3732
SunStar Systems, Inc.
Orion - The Enterprise Jamstack Wiki
From: enge...@gsuite.cloud.apache.org on
behalf of Apache Security Team
Sent: Monday, January 2, 2023 7:30:43 AM
To: dev@httpd.apache.org
Cc: Apache Security Team
Subject: Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory
corruption
Hi,
I noticed there was some confusion online as to whether this issue is
fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4).
Unless anyone objects I'll amend the CVE text to make it explicit that
users are recommended to update to 2.17 or later.
Luckily with the new CVE format the version ranges are more explicit,
so this kind of confusion is less likely to occur again.
Kind regards,
Arnout
On Thu, Aug 25, 2022 at 4:09 PM Joe Orton wrote:
>
> Severity: important
>
> Description:
>
> A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow
> while processing multipart form uploads. A remote attacker could send a
> request causing a process crash which could lead to a denial of service
> attack.
>
