From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2EA1215ACFC for ; Wed, 3 May 2023 10:26:29 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 02478E0FA4; Wed, 3 May 2023 10:15:30 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3F682E0DDD for ; Wed, 3 May 2023 10:05:08 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id B1843340C9C for ; Wed, 3 May 2023 10:05:07 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id A2845811A0 for ; Wed, 3 May 2023 10:05:07 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202305-20 ] libapreq2: Buffer Overflow Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============7227518968812411700==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Wed, 03 May 2023 10:05:07 -0000 Message-ID: <168310830766.8.16994355107443171252@2ac734cbf5a7> X-Archives-Salt: 63b6fbe4-8fb2-4e84-adc5-bc67eaa42064 X-Archives-Hash: 36f2aea4aee17eada85fde1320337f84 --===============7227518968812411700== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202305-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: libapreq2: Buffer Overflow Date: May 03, 2023 Bugs: #866536 ID: 202305-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A buffer overflow vulnerability has been discovered in libapreq2 which could result in denial of service. Background ========== libapreq is a shared library with associated modules for manipulating client request data via the Apache API. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-apache/libapreq2 < 2.17 >= 2.17 Description =========== TODO Impact ====== An attacker could submit a crafted multipart form to trigger the buffer overflow and cause a denial of service. Workaround ========== There is no known workaround at this time. Resolution ========== All libapreq2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apache/libapreq2-2.17" References ========== [ 1 ] CVE-2022-22728 https://nvd.nist.gov/vuln/detail/CVE-2022-22728 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202305-20 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============7227518968812411700== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmRSMdMACgkQFMQkOaVy +9l29BAAvvpjqkYFfy93s6bjDElX55zN+7xXjMQFiX2z+xsw4nLiMXpsFZQ0A7ZI JyYw62kHqeQFW1k1+I+hcLJ0dL4wbRSRhe6RHJcNsVlcTOh2zaIMxq3S4z9sSVa8 7AsQfdzNO+E8WW7VluWADTdBwD/lzdbLq5IIwAkP49AsKrZj+sRpH+JUpvxp/zNd FN3Ph1aFm1DTALeQCIbz2HUz6Umz3JZqtAo10vtXYCwOn0kYLt7CYX9ZRz+dj7EI e5uGebbgqwaLMVeVpOpdqv6yjiIagZYBUJXT9LV60FXHkWPldZF7MkOHzcAOsyGu n8bCAd2KZzCn6TYmFGv+Tjx9f+nm5g4Gw/aFYTrIz+PuFE/pYJb7X3Wfaa/t3tWZ npHfgmCrV9Ys/aRvffLMpEEvzOzKbqHM7xGntyR9MfNbPmJciTitMkvNtFrjIHrV H0jnVCJeHp9h5uC79fn+ASehgg8g6JEGi8r8W0RPsA0S44sGo7ci6Qu8FJn7b6/i Cm7ra31sln70Vuq+OnEGT272AHfzr8PF+S51zG84msAh5QYCtriwPeYXSv8/5Upm 0Q7Cn4iGe5BpbIZL31JpwU+l0WjTCRxfUex/42pffnaHGYENsnl/KFH6KwJKvmEr P432d3tEPQLGp6hO6zWDcnGmdH7sRlMkWSUqnQjw0hS6p8xr0fs= =MQtp -----END PGP SIGNATURE----- --===============7227518968812411700==--