dongsupark
commented
1 year ago As libmicrohttpd is not in portage-stable-packages-list, we need to manually update it at least once. Will soon start working on it.
Closed vbatts closed 1 year ago
dongsupark
commented
1 year ago As libmicrohttpd is not in portage-stable-packages-list, we need to manually update it at least once. Will soon start working on it.
Name: libmicrohttpd CVEs: CVE-2023-27371 CVSSs: 5.9 Action Needed: update to >= 0.9.76
Summary: GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.
refmap.gentoo: https://bugs.gentoo.org/905326