CVE-2019-12412: libapreq2 null pointer dereference Severity: important Vendor: The Apache Software Foundation Versions Affected: libapreq2 2.07 to 2.13 Description: In libapreq2 versions 2.07 through 2.13 inclusive, a flaw in the multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack. Mitigation: disable the libapreq2 multipart parser Credit: Thanks to Max Kellerman and Salvatore Bonaccorso for finding and reporting this issue. References: https://bugs.debian.org/939937
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22dc9ed6b5cc0884b2724dbc354ae63835ee3673 commit 22dc9ed6b5cc0884b2724dbc354ae63835ee3673 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-11-17 22:59:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-11-17 23:02:06 +0000 www-apache/libapreq2: bump to 2.15 Bug: https://bugs.gentoo.org/755164 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> www-apache/libapreq2/Manifest | 1 + www-apache/libapreq2/libapreq2-2.15.ebuild | 72 ++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+)
Unable to check for sanity: > no match for package: www-apache/libapreq2-2.15
x86 stable
amd64 done
Ping ppc{,64}
ppc64 stable
Fails to build on ppc due to bug #738642.
ppc done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c7ef92ac9f0fa8eec67e9efc485e2e4f2dc98c1 commit 1c7ef92ac9f0fa8eec67e9efc485e2e4f2dc98c1 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-05-16 12:52:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-16 12:53:22 +0000 www-apache/libapreq2: drop 2.13-r1 (EAPI 5) Bug: https://bugs.gentoo.org/755164 Signed-off-by: Sam James <sam@gentoo.org> www-apache/libapreq2/Manifest | 1 - www-apache/libapreq2/libapreq2-2.13-r1.ebuild | 63 --------------------------- 2 files changed, 64 deletions(-)
Low impact -> no GLSA. All done.