2.17 is a dud. What?s in trunk works fine though.
Joe Schaefer, Ph.D
+1 (954) 253-3732
SunStar Systems, Inc.
Orion - The Enterprise Jamstack Wiki
From: email@example.com <firstname.lastname@example.org> on behalf of Apache Security Team <email@example.com>
Sent: Monday, January 2, 2023 7:30:43 AM
To: firstname.lastname@example.org <email@example.com>
Cc: Apache Security Team <firstname.lastname@example.org>
Subject: Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption
I noticed there was some confusion online as to whether this issue is
fixed in 2.17 (https://www.openwall.com/lists/oss-security/2022/08/26/4
Unless anyone objects I'll amend the CVE text to make it explicit that
users are recommended to update to 2.17 or later.
Luckily with the new CVE format the version ranges are more explicit,
so this kind of confusion is less likely to occur again.
On Thu, Aug 25, 2022 at 4:09 PM Joe Orton <email@example.com> wrote: >
> Severity: important
> A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.