Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: libmicrohttpd #1084

Closed
vbatts opened this issue Jun 19, 2023 · 1 comment · Fixed by flatcar/scripts#957
Closed

update: libmicrohttpd #1084

vbatts opened this issue Jun 19, 2023 · 1 comment · Fixed by flatcar/scripts#957
Assignees
@dongsupark
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns

Comments

@vbatts
Copy link
Member

vbatts commented Jun 19, 2023
edited by dongsupark
Loading

Name: libmicrohttpd
CVEs: CVE-2023-27371
CVSSs: 5.9
Action Needed: update to >= 0.9.76

Summary: GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.

refmap.gentoo: https://bugs.gentoo.org/905326
@vbatts vbatts added advisory security advisory security security concerns labels Jun 19, 2023
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Jun 19, 2023
@dongsupark dongsupark added the cvss/MEDIUM >= 4 && < 7 assessed CVSS label Jun 19, 2023
@dongsupark dongsupark moved this from 🪵Backlog to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Jun 29, 2023
@dongsupark dongsupark self-assigned this Jun 29, 2023
@dongsupark
Copy link
Member

As libmicrohttpd is not in portage-stable-packages-list, we need to manually update it at least once.
Will soon start working on it.

@dongsupark dongsupark mentioned this issue Jun 29, 2023
Merged
1 task
@github-project-automation github-project-automation bot moved this from ⚒️ In Progress to Implemented in Flatcar tactical, release planning, and roadmap Jun 29, 2023
@github-actions github-actions bot mentioned this issue Nov 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dongsupark dongsupark

Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

net-libs/libmicrohttpd: update to 0.9.76 flatcar/scripts
2 participants
@vbatts @dongsupark