Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption
On Mon, Jan 2, 2023 at 7:43 PM Joe Schaefer wrote: > 2.17 is a dud. What’s in trunk works fine though. Ah, I didn't realize. Should we wait until 2.18 is out before making any recommendations to users? Arnout > > From: enge...@gsuite.cloud.apache.org on > behalf of Apache Security Team > Sent: Monday, January 2, 2023 7:30:43 AM > To: dev@httpd.apache.org > Cc: Apache Security Team > Subject: Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory > corruption > > Hi, > > I noticed there was some confusion online as to whether this issue is > fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4). > > Unless anyone objects I'll amend the CVE text to make it explicit that > users are recommended to update to 2.17 or later. > > Luckily with the new CVE format the version ranges are more explicit, > so this kind of confusion is less likely to occur again. > > > Kind regards, > > Arnout > > On Thu, Aug 25, 2022 at 4:09 PM Joe Orton wrote: > > > > Severity: important > > > > Description: > > > > A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow > > while processing multipart form uploads. A remote attacker could send a > > request causing a process crash which could lead to a denial of service > > attack. > >
Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption
2.17 is a dud. What’s in trunk works fine though. Joe Schaefer, Ph.D +1 (954) 253-3732 SunStar Systems, Inc. Orion - The Enterprise Jamstack Wiki From: enge...@gsuite.cloud.apache.org on behalf of Apache Security Team Sent: Monday, January 2, 2023 7:30:43 AM To: dev@httpd.apache.org Cc: Apache Security Team Subject: Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption Hi, I noticed there was some confusion online as to whether this issue is fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4). Unless anyone objects I'll amend the CVE text to make it explicit that users are recommended to update to 2.17 or later. Luckily with the new CVE format the version ranges are more explicit, so this kind of confusion is less likely to occur again. Kind regards, Arnout On Thu, Aug 25, 2022 at 4:09 PM Joe Orton wrote: > > Severity: important > > Description: > > A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow > while processing multipart form uploads. A remote attacker could send a > request causing a process crash which could lead to a denial of service > attack. >
Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption
Hi, I noticed there was some confusion online as to whether this issue is fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4). Unless anyone objects I'll amend the CVE text to make it explicit that users are recommended to update to 2.17 or later. Luckily with the new CVE format the version ranges are more explicit, so this kind of confusion is less likely to occur again. Kind regards, Arnout On Thu, Aug 25, 2022 at 4:09 PM Joe Orton wrote: > > Severity: important > > Description: > > A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow > while processing multipart form uploads. A remote attacker could send a > request causing a process crash which could lead to a denial of service > attack. >
CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption
Severity: important Description: A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.