Published: 30 September 2019

A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.

From the Ubuntu security team

It was discovered that libapreq2 did not properly sanitize the Content-Type field in certain, crafted HTTP requests. An attacker could use the vulnerability to cause libapreq2 to crash.




Package Release Status
Launchpad, Ubuntu, Debian
Released (2.13-6)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.13-7~deb10u1build0.18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist