GNU Libmicrohttpd2 Security Audit Report

This report presents the findings from a security audit of GNU Libmicrohttpd2. The primary objectives of the audit included the development of a threat model, a manual code audit, and the establishment of a continuous fuzzing suite utilizing OSS-Fuzz. The report outlines the process of creating a threat model to classify the attack surface, which served as a foundation for the security audit. A thorough manual review of the source code was conducted to identify potential logical and security flaws. Additionally, an extensive set of fuzzing harnesses was developed for GNU Libmicrohttpd2, which are now integrated into a continuous fuzzing process with OSS-Fuzz, running daily. The audit identified a total of seven issues, with two uncovered by the fuzzing harnesses and five identified during the manual audit. All reported issues have been addressed and fixed upstream, indicating a positive assessment of the software's overall quality.