Bug#992789: marked as done (apr: CVE-2021-35940)

To: Yadd <yadd@debian.org>
Subject: Bug#992789: marked as done (apr: CVE-2021-35940)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 24 Aug 2021 07:21:09 +0000
Message-id: <[🔎] handler.992789.D992789.162978951625004.ackdone@bugs.debian.org>
Reply-to: 992789@bugs.debian.org
References: <E1mIQhd-000A6O-VD@fasolo.debian.org> <[🔎] 162972624518.690681.13611271044033599426.reportbug@eldamar.lan>

Your message dated Tue, 24 Aug 2021 07:18:33 +0000
with message-id <E1mIQhd-000A6O-VD@fasolo.debian.org>
and subject line Bug#992789: fixed in apr 1.7.0-7
has caused the Debian Bug report #992789,
regarding apr: CVE-2021-35940
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992789: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992789
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apr: CVE-2021-35940
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 23 Aug 2021 15:44:05 +0200
Message-id: <[🔎] 162972624518.690681.13611271044033599426.reportbug@eldamar.lan>

Source: apr
Version: 1.7.0-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for apr.

CVE-2021-35940[0]:
| An out-of-bounds array read in the apr_time_exp*() functions was fixed
| in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix
| for this issue was not carried forward to the APR 1.7.x branch, and
| hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to
| the same issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-35940
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940
[1] https://www.openwall.com/lists/oss-security/2021/08/23/1

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 992789-close@bugs.debian.org
Subject: Bug#992789: fixed in apr 1.7.0-7
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 24 Aug 2021 07:18:33 +0000
Message-id: <E1mIQhd-000A6O-VD@fasolo.debian.org>
Reply-to: Yadd <yadd@debian.org>

Source: apr
Source-Version: 1.7.0-7
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992789@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Aug 2021 08:59:10 +0200
Source: apr
Architecture: source
Version: 1.7.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 981738 992789
Changes:
 apr (1.7.0-7) unstable; urgency=medium
 .
   * Team upload
 .
   [ Helmut Grohne ]
   * Annotate test dependencies netbase and net-tools <!nocheck>.
     Closes: #981738
 .
   [ Salvatore Bonaccorso ]
   * Out-of-bounds array dereference in apr_time_exp*() functions
     (CVE-2021-35940) (Closes: #992789)
Checksums-Sha1: 
 5a6133d1e309d7f909b9476303c3a74826cc5054 2272 apr_1.7.0-7.dsc
 04d90236334e69d513d521d373859b4426015cba 214920 apr_1.7.0-7.debian.tar.xz
Checksums-Sha256: 
 303d4fefd0c983f8c8a65b693f3ecd7efdc4e9824b5381f6fbb8ab91f38a2ada 2272 apr_1.7.0-7.dsc
 ee74eda7e216fa5c5949d73cda4be08f44189b3d64d3bea710fad4f794754b0f 214920 apr_1.7.0-7.debian.tar.xz
Files: 
 412c9a7d11942ac65f84a7975e1a34d9 2272 libs optional apr_1.7.0-7.dsc
 3d13db39982aa40aea98b15da9616387 214920 libs optional apr_1.7.0-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmEkmqkACgkQ9tdMp8mZ
7umc+g/+PFZ9RPQIVCm/naRob6vFDt8djnfXV8P808N3ezwf7UN4V8Y+QShsZHWk
XEHkeWD6iSWp6zCnRLGP7SR/je7HFS+znl1YR391iTj3dvBziqX/RDta1zAzuQ4q
+lI6tj9RZLmJNVONYz/lnQ+i9S5jcWHqe3/aKP+zvAbjE4FZ0Gcfov7SoMJCY/Kg
vAxEtC41WiSAdcjS35mK/8Uz9dgT1kV6QMOhIbR8wVbstodTXoCvBkrLLA4dwBlg
kpR68uYd//zYUhFSelHrteWBCWgoQNcnsUH1JNqai8xmxtd8w9H3TGRjD3Ab8BLr
odSz2sWBqzn9KzFBI6ObFfJuPplyrr+QlS1rkSoQ6Qu7RpBPYyIf18OK9DrKZgcE
6xnXru+kkO8Qy8ANFoOPeUKnMAGZTziH+ggaBSn+AZFykZbN6D9d+peXg7AURySS
tKP2BAVDtvHfEw9DWHIlOwSa4cnF0nFOiIV8gtGTGJEzCXOB71HalJDhb5AtS+Yu
FrNWFJYg80qPfYMDmBFq9nppQz2FLBz/LROOYBpzftA+0w650ckUlf8rhBwKk+3A
ZDmcEphIIRV71nYGdhf7GmauB22nVHXpmO296ay0FQD/ja2TTg6ZcDKpKjEZf547
b+S1FZR4AZtN0PMRe93GkNnBeAvPAydiFEFs9Nwb3UIXnmDDes0=
=VZqK
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#992789: apr: CVE-2021-35940
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: Bug#992789 marked as pending in apr
Next by Date: Bug#981738: marked as done (apr: annotate test dependencies <!nocheck>)
Previous by thread: Processed: Bug#992789 marked as pending in apr
Next by thread: Processed: Bug#992789 marked as pending in apr
Index(es):
- Date
- Thread