| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| libevent-2.2.2-alpha.tar.gz | 2026-07-01 | 1.3 MB | |
| libevent-2.2.2-alpha.tar.gz.asc | 2026-07-01 | 833 Bytes | |
| Libevent 2.2.2-alpha source code.tar.gz | 2026-07-01 | 873.0 kB | |
| Libevent 2.2.2-alpha source code.zip | 2026-07-01 | 1.1 MB | |
| README.md | 2026-07-01 | 2.3 kB | |
| Totals: 5 Items | 3.2 MB | 0 | |
Changes in version 2.2.2-alpha (01 July 2026)
This release contains several security fixes, affecting users of the following modules: evbuffer, bufferevent, evtag, evrpc, evdns, evhttp, and evws. If you have a program that uses one of those modules, or if you distribute libevent, you should upgrade.
(Note: the latest stable release as of this writing is 2.1.13.)
Security fixes (evws):
- Fix a null dereference in the error path of evws_new_session(). (Found by @DarkaMaul. GHSA-3rpf-frgx-xq34)
- Prevent unbounded memory accumulation in websockets via frame fragmentation. (Found by @sectroyer. GHSA-qx89-wf2v-vgmx)
Security Fixes, also in 2.1.13 (evtag, evrpc):
- Fix an out-of-bounds read in decode_tag_internal. (Found by @Brubbish. GHSA-fj29-64w6-73h6)
- Fix an integer overflow in evtag_unmarshal_header. (Found by @Brubbish. GHSA-45c6-qx49-89m8)
Security Fixes, also in 2.1.13 (evhttp):
- Discard HTTP trailers, to prevent header smuggling attacks. (Found by @sebastianosrt. GHSA-2gmv-p5m7-98p6)
- Restrict HTTP header parsing to prevent request smuggling. (Originally reported by @xclow3n; and then by @kodareef5, @nstaller0490, @AsafMeizneer, and @yaotushaozhu. GHSA-q39v-w2g7-gr8j.)
- Treat CRLF and %00 more strictly in HTTP headers, to prevent parser mismatch attacks. (Reported by @xclow3n and @AsafMeizner. See GHSA-q39v-w2g7-gr8j, GHSA-jcwh-pvf2-73p2.)
- Fix a heap out-of-bound write that could occur when using AF_UNIX sockets and compiling libevent with -DNDEBUG. (Found by @mat-mo. GHSA-cvq5-vrvr-j338)
Security fixes, also in 2.1.13 (evbuffer, bufferevent):
- Fixed a dangling pointer in evbuffer_add_reference. (Found by @DarkaMaul. GHSA-c2pj-cg4r-88c8)
Security fixes, also in 2.1.13 (evdns):
- Fix an out-of-bounds write in dnsname_to_labels when building a DNS response of 2^16 bytes. (Found by @sectroyer. GHSA-58rx-7448-jw47)
Security fixes, also in 2.1.13 (example code):
- Avoid using strcpy() in sample/http-server.c. (Reported by @sectroyer. GHSA-5rgj-2c58-7jrc.)
Other fixes:
- Enable a test for signalfd that had previously been disabled by mistake.
- Fix compilation of some examples and tests, and resolve several compiler warnings.