Bug#1018191: marked as done (libapreq2: CVE-2022-22728: multipart form parse memory corruption)
Your message dated Sun, 12 Feb 2023 19:32:11 +0000
with message-id <E1pRI55-00D0mS-1V@fasolo.debian.org>
and subject line Bug#1018191: fixed in libapreq2 2.13-7+deb11u1
has caused the Debian Bug report #1018191,
regarding libapreq2: CVE-2022-22728: multipart form parse memory corruption
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1018191: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018191
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libapreq2: CVE-2022-22728: multipart form parse memory corruption
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Fri, 26 Aug 2022 21:07:06 +0200
- Message-id: <166154082641.995017.17270131301660618479.reportbug@eldamar.lan>
Source: libapreq2
Version: 2.13-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for libapreq2.
CVE-2022-22728[0]:
| A flaw in Apache libapreq2 versions 2.16 and earlier could cause a
| buffer overflow while processing multipart form uploads. A remote
| attacker could send a request causing a process crash which could lead
| to a denial of service attack.
It has been asked in [2] if there is an isolated patch or upstream
issue as reference as there are not much details on the CVE.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-22728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22728
[1] https://www.openwall.com/lists/oss-security/2022/08/25/3
[2] https://www.openwall.com/lists/oss-security/2022/08/26/4
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libapreq2
Source-Version: 2.13-7+deb11u1
Done: Tobias Frost <tobi@debian.org>
We believe that the bug you reported is fixed in the latest version of
libapreq2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1018191@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tobias Frost <tobi@debian.org> (supplier of updated libapreq2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 07 Feb 2023 05:55:31 +0100
Source: libapreq2
Architecture: source
Version: 2.13-7+deb11u1
Distribution: bullseye
Urgency: high
Maintainer: Steinar H. Gunderson <sesse@debian.org>
Changed-By: Tobias Frost <tobi@debian.org>
Closes: 1018191
Changes:
libapreq2 (2.13-7+deb11u1) bullseye; urgency=high
.
* Non-maintainer upload by the Security Team.
* Backport fix for CVE-2022-22728. (Closes: #1018191)
Checksums-Sha1:
c89b75c8539e191089e90132fbb42dc64c34022f 2179 libapreq2_2.13-7+deb11u1.dsc
db3761625a62230147896b47e9b047660b20ba28 891320 libapreq2_2.13.orig.tar.gz
b7c32a712020e187fb4a475a4ccec28c4c4efc4e 12760 libapreq2_2.13-7+deb11u1.debian.tar.xz
72f0339e658e03164642ffdcf28aa7b107236c05 10792 libapreq2_2.13-7+deb11u1_amd64.buildinfo
Checksums-Sha256:
253e402769e9501c487dbe7403f0c6be31bd79a6cc551e3327cbe31d0631c5e1 2179 libapreq2_2.13-7+deb11u1.dsc
5731e6833b32d88e4a5c690e45ddf20fcf969ce3da666c5627d775e92da0cf6e 891320 libapreq2_2.13.orig.tar.gz
9261d5be403270d363aec0429f51f45ae1d079bf5f32b577ac3a91aaa871c3bd 12760 libapreq2_2.13-7+deb11u1.debian.tar.xz
15dd7b11803ac0bbb676b489b6f0de79b6834ac3a53bc409e6d3bbe930059f4b 10792 libapreq2_2.13-7+deb11u1_amd64.buildinfo
Files:
9d911b01b1e5487dd548f5a0b8ca5976 2179 perl optional libapreq2_2.13-7+deb11u1.dsc
c11fb0861aa84dcc6cd0f0798b045eee 891320 perl optional libapreq2_2.13.orig.tar.gz
4dc2a1cfb96ce5df733eb562fa856105 12760 perl optional libapreq2_2.13-7+deb11u1.debian.tar.xz
b583b4e0c474912c4c9c6dbeda2f10d2 10792 perl optional libapreq2_2.13-7+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmPh+Q0ACgkQkWT6HRe9
XTYUsA//Thno1joil1qNwDLkb9Sem9BztdFTnnfJeJSOrGkRDTcBGzGRLjtXx5k3
nqAzTXOvsO2cbwPUMc5tQI3b3r2j8nnNJnlbw5+K4n/vfj2ixxX6hytI/Q0zbmtN
EVLUuY/jOn+tdkvzSyxsYQHpQlOqm8O2cwRIOaccId7fDoNTzBVH2iJH9ubbRhmn
+JLIi3SdDr2Gv6w3nxYev0aWP2n30zjjIjp8GfawiPBWjN8IjH8T2gOOGWijryPK
vd2u0mgBf+M41vOQ01m1I1LkyAaZH3w7a5UO9qLyTbanP4MKGDM/mcG4HjmLXQ1/
RTIJ/3GVxLbMffbLtCSOMexdygYK41sgfx8W0P1SU2UiJX3zS+B2GYJFORGjYC3l
ydOyP8hz2O4JmiJZqM+KnWjv/ISK3HflgYByybo95Pv2JDqm4O5rudvbgZCAtNNy
ziLOCW+xV/gUTHtynz56d0z2W5Jn1l4eKjeHRyFzZAIVJR74vp6NiKQJQ8D0TK/h
Qo75X0g4OKpmztetCDxmS1FAGYWJrUfvKnQjbf0HW7P0bSI0qUGP5U6c/4KjZRcK
lpj95Q4mjTvWh9ZfwKg+3H7D6NKPA/PoJ+Njpy3bYIP5czeBo/zyTaLwTJUrP9S9
VGXR5kreHh0+Yat/alNiSuoYn6QHVskLOI+8364LxdUhM3H+OOY=
=Kruf
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: