[Bug 262557] [PATCH] www/apache24 - Update to 2.4.53 (Fix CVEs) see https://reviews.freebsd.org/D34549

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 262557] [PATCH] www/apache24 - Update to 2.4.53 (Fix CVEs) see https://reviews.freebsd.org/D34549"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 14 Mar 2022 19:10:53 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262557

--- Comment #4 from Cy Schubert <cy@FreeBSD.org> ---
Subject: CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow
 with very large or unlimited LimitXMLRequestBody 
From: Stefan Eissing <icing@apache.org>
Date: Mon, 14 Mar 2022 10:07:40 +0000 (03:07 PDT)
To: announce@apache.org, dev@httpd.apache.org

        (text/plain)
(Unknown charset: <utf-8>)

Severity: low

Description:

If LimitXMLRequestBody is set to allow request bodies larger than 350MB
(defaults to 1M) on 32 bit systems an integer overflow happens which later
causes out of bounds writes.

This issue affects Apache HTTP Server 2.4.52 and earlier.

Credit:

Anonymous working with Trend Micro Zero Day Initiative

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.