Mailing List Archive

Hi,

I noticed there was some confusion online as to whether this issue is
fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4).

Unless anyone objects I'll amend the CVE text to make it explicit that
users are recommended to update to 2.17 or later.

Luckily with the new CVE format the version ranges are more explicit,
so this kind of confusion is less likely to occur again.


Kind regards,

Arnout

On Thu, Aug 25, 2022 at 4:09 PM Joe Orton <jorton@apache.org> wrote:
>
> Severity: important
>
> Description:
>
> A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.
>

2.17 is a dud. What?s in trunk works fine though.

Joe Schaefer, Ph.D
<joe@sunstarsys.com>
+1 (954) 253-3732
SunStar Systems, Inc.
Orion - The Enterprise Jamstack Wiki

________________________________
From: engelen@gsuite.cloud.apache.org <engelen@gsuite.cloud.apache.org> on behalf of Apache Security Team <security@apache.org>
Sent: Monday, January 2, 2023 7:30:43 AM
To: dev@httpd.apache.org <dev@httpd.apache.org>
Cc: Apache Security Team <security@apache.org>
Subject: Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption

Hi,

I noticed there was some confusion online as to whether this issue is
fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4).

Unless anyone objects I'll amend the CVE text to make it explicit that
users are recommended to update to 2.17 or later.

Luckily with the new CVE format the version ranges are more explicit,
so this kind of confusion is less likely to occur again.


Kind regards,

Arnout

On Thu, Aug 25, 2022 at 4:09 PM Joe Orton <jorton@apache.org> wrote:
>
> Severity: important
>
> Description:
>
> A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.
>

On Mon, Jan 2, 2023 at 7:43 PM Joe Schaefer <joe@sunstarsys.com> wrote:
> 2.17 is a dud. What’s in trunk works fine though.

Ah, I didn't realize. Should we wait until 2.18 is out before making
any recommendations to users?


Arnout

> ________________________________
> From: engelen@gsuite.cloud.apache.org <engelen@gsuite.cloud.apache.org> on behalf of Apache Security Team <security@apache.org>
> Sent: Monday, January 2, 2023 7:30:43 AM
> To: dev@httpd.apache.org <dev@httpd.apache.org>
> Cc: Apache Security Team <security@apache.org>
> Subject: Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption
>
> Hi,
>
> I noticed there was some confusion online as to whether this issue is
> fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4).
>
> Unless anyone objects I'll amend the CVE text to make it explicit that
> users are recommended to update to 2.17 or later.
>
> Luckily with the new CVE format the version ranges are more explicit,
> so this kind of confusion is less likely to occur again.
>
>
> Kind regards,
>
> Arnout
>
> On Thu, Aug 25, 2022 at 4:09 PM Joe Orton <jorton@apache.org> wrote:
> >
> > Severity: important
> >
> > Description:
> >
> > A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.
> >