oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2019-12412: libapreq2 null pointer dereference

From: Joe Orton <jorton () apache org>
Date: Tue, 17 Nov 2020 17:06:55 +0000
CVE-2019-12412: libapreq2 null pointer dereference

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
libapreq2 2.07 to 2.13

Description:
In libapreq2 versions 2.07 through 2.13 inclusive, a flaw in the 
multipart parser can deference a null pointer leading to a process 
crash.  A remote attacker could send a request causing a process crash 
which could lead to a denial of service attack.

Mitigation:
disable the libapreq2 multipart parser

Credit:
Thanks to Max Kellerman and Salvatore Bonaccorso for finding and
reporting this issue.

References:
https://bugs.debian.org/939937
Previous By Date Next
Previous By Thread Next

Current thread: