CVE-2021-3466

Name	CVE-2021-3466
Description	A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libmicrohttpd (PTS)	jessie, jessie (lts)	0.9.37+dfsg-1+deb8u1	fixed
	stretch (lts), stretch	0.9.51-1+deb9u1	fixed
	buster (security), buster, buster (lts)	0.9.62-1+deb10u1	fixed
	bullseye	0.9.72-2+deb11u1	fixed
	bookworm	0.9.75-6	fixed
	sid, trixie	1.0.1-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
libmicrohttpd	source	jessie	(not affected)
libmicrohttpd	source	stretch	(not affected)
libmicrohttpd	source	buster	(not affected)
libmicrohttpd	source	(unstable)	0.9.71-1

Notes

[buster] - libmicrohttpd <not-affected> (Vulnerable code introduced later)
[stretch] - libmicrohttpd <not-affected> (Vulnerable code introduced later)
Patch: https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
Introduced in https://git.gnunet.org/libmicrohttpd.git/commit/?id=55f715e15e3ce66babc939b5a670bee02d4d9571
[jessie] - libmicrohttpd <not-affected> (Vulnerable code introduced later)