Bug 13265

Summary: [CVE 21] libmicrohttpd 0.9.75 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: High CC: a.proklov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2023-27371,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 13:58:29 MSK 
Please patch CVEs for package libmicrohttpd version 0.9.75  
INFO (CVEs are): libmicrohttpd 0.9.75 cves found
CVE-2023-27371
Desc: GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-27371
Severity: MEDIUM
Comment 1 Svyatoslav Matveev 2023-05-23 10:44:22 MSK 
********** QA ADVISORY **********

Cve закрыто обновлением.

*** libmicrohttpd
**  0.9.75 > 0.9.76 (merge rosa2023.1)

https://abf.io/build_lists/4443235
https://abf.io/build_lists/4443236
https://abf.io/build_lists/4443234
https://abf.io/build_lists/4443237
https://abf.io/build_lists/4443238
Comment 2 Dmitry Postnikov 2023-05-23 21:39:03 MSK 
(In reply to Svyatoslav Matveev from comment #1)
> ********** QA ADVISORY **********
> 
> Cve закрыто обновлением.
> 
> *** libmicrohttpd
> **  0.9.75 > 0.9.76 (merge rosa2023.1)
> 
> https://abf.io/build_lists/4443235
> https://abf.io/build_lists/4443236
> https://abf.io/build_lists/4443234
> https://abf.io/build_lists/4443237
> https://abf.io/build_lists/4443238

У контейнеров 404-я ошибка на страницах.
Comment 3 Dmitry Postnikov 2023-05-24 10:09:43 MSK 
Контейнеры восстановились. Все норм.
Comment 4 Dmitry Postnikov 2023-05-24 16:03:14 MSK 
***************************
The update sent to testings
Comment 5 Vladimir Potapov 2023-05-30 17:58:38 MSK 
libmicrohttpd-0.9.76-1
https://abf.io/build_lists/4443235
https://abf.io/build_lists/4443236
https://abf.io/build_lists/4443234
https://abf.io/build_lists/4443237
https://abf.io/build_lists/4443238
************************** Advisory ********************
0.9.75 > 0.9.76
********************************************************
QA Verified
Comment 6 Yury 2023-07-25 13:56:22 MSK 
Secteam Verified