Bug#992789: apr: CVE-2021-35940
Control: tags -1 + patch
On Mon, Aug 23, 2021 at 03:44:05PM +0200, Salvatore Bonaccorso wrote:
> Source: apr
> Version: 1.7.0-6
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for apr.
>
> CVE-2021-35940[0]:
> | An out-of-bounds array read in the apr_time_exp*() functions was fixed
> | in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix
> | for this issue was not carried forward to the APR 1.7.x branch, and
> | hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to
> | the same issue.
proposed change in https://salsa.debian.org/apache-team/apr/-/merge_requests/8
Regards,
Salvatore
Reply to: