On Wed, Jun 8, 2022 at 5:43 AM Stefan Eissing <ic...@apache.org> wrote: > > Severity: low > > Description: > > The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read > unintended memory if an attacker can cause the server to reflect very large > input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() > function. > > Credit: > > The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop > LLC) for reporting this issue > > References: > > https://httpd.apache.org/security/vulnerabilities_24.html
Some additional information has been added to this bulletin: Modules compiled and distributed separately from Apache HTTP Server that use the "ap_rputs" function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.
