Bug#992789: marked as done (apr: CVE-2021-35940)

To: Yadd <yadd@debian.org>
Subject: Bug#992789: marked as done (apr: CVE-2021-35940)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 07 Sep 2021 08:33:10 +0000
Message-id: <[🔎] handler.992789.D992789.163100353011521.ackdone@bugs.debian.org>
Reply-to: 992789@bugs.debian.org
References: <E1mNWWV-0004Y5-IN@fasolo.debian.org> <162972624518.690681.13611271044033599426.reportbug@eldamar.lan>

Your message dated Tue, 07 Sep 2021 08:32:07 +0000
with message-id <E1mNWWV-0004Y5-IN@fasolo.debian.org>
and subject line Bug#992789: fixed in apr 1.7.0-6+deb11u1
has caused the Debian Bug report #992789,
regarding apr: CVE-2021-35940
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992789: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992789
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apr: CVE-2021-35940
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 23 Aug 2021 15:44:05 +0200
Message-id: <162972624518.690681.13611271044033599426.reportbug@eldamar.lan>

Source: apr
Version: 1.7.0-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for apr.

CVE-2021-35940[0]:
| An out-of-bounds array read in the apr_time_exp*() functions was fixed
| in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix
| for this issue was not carried forward to the APR 1.7.x branch, and
| hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to
| the same issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-35940
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940
[1] https://www.openwall.com/lists/oss-security/2021/08/23/1

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: 992789-close@bugs.debian.org
Subject: Bug#992789: fixed in apr 1.7.0-6+deb11u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 07 Sep 2021 08:32:07 +0000
Message-id: <E1mNWWV-0004Y5-IN@fasolo.debian.org>
Reply-to: Yadd <yadd@debian.org>

Source: apr
Source-Version: 1.7.0-6+deb11u1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992789@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Aug 2021 09:18:26 +0200
Source: apr
Architecture: source
Version: 1.7.0-6+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 992789
Changes:
 apr (1.7.0-6+deb11u1) bullseye; urgency=medium
 .
   * Team upload
 .
   [ Salvatore Bonaccorso ]
   * Out-of-bounds array dereference in apr_time_exp*() functions
     (CVE-2021-35940) (Closes: #992789)
Checksums-Sha1: 
 5387f703625d7cd10223da4c3c5e50c8fb5d8166 2282 apr_1.7.0-6+deb11u1.dsc
 30238f6a67fc40eb9e3513154bf3105327ec2294 214884 apr_1.7.0-6+deb11u1.debian.tar.xz
Checksums-Sha256: 
 561d329f77659ea05d7303776b76922c4c13c5647b5f9205a3d6637976f345df 2282 apr_1.7.0-6+deb11u1.dsc
 7352919715fe985ccfee1953a85a051e16cd4af0c739c0f827e508a309ee5e06 214884 apr_1.7.0-6+deb11u1.debian.tar.xz
Files: 
 d1a90a2fe6f15fea4c0fb05c15512b11 2282 libs optional apr_1.7.0-6+deb11u1.dsc
 bbd265ad0639b09be53210525ef81117 214884 libs optional apr_1.7.0-6+deb11u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmEzovQACgkQ9tdMp8mZ
7umUkw//ZF64ODJLpBgDCtw73oQ4HnJZCEEv08IlK0oTaWRNse0r5yPpNMTbMUMV
gD1JUTGdFs4aSq+f9svq2YYUGfRsJMtDDEhxFYevuwefW2ri653RJGjSRuNOsVEx
TgkQctmV+C1N+97t2C+bPPYeDQ3dgERBbcKf9MPiue5IXLVUlyBNNhbrMXgtoBdc
WPsitBz0LdZ6g112LueEsOK5dAeioRPVqA9G85jeadGOF6V12ttYJMiCNWDNi2Dy
kfdEbuqzjUenJFJszjbgpQJxS92TSpxgoXoeNC65DZm82es3ZknWNImL3UcoiNNV
quUnoHS/odbWLgzbGrePYwOutLNqCJTKgya26GGswO2tfsA1/LOi0cIxOkgrH2mH
Wy4KHvQ/mGFzfcBKOWMENDH6g8+hR6EPg4yDT91XnrbRFyrA/02QFzah/pJtvSQk
7q30nsa8e4c0QH3j82UUyR7A8H68y4q+0STmlsM+fgmS8snKDC612dTe+732Fo5s
miMq2ZsTqISxKDFOFVu6fyo+ZGX/K+Jv89OwjKYu8j7qp4we7BNJL5lTAvqNr1a0
IdxZbUfQ06EswHLByhwZu357OuUYOkRROpeyBKtPbZjuGVxaYn3427Q6uLVI9izZ
MDin8sTZ3jRAXfWFeal6+B5ClJcU6V0OnSMtEpLbZ3at1VunGoY=
=NpD0
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: apr_1.7.0-6+deb11u1_sourceonly.changes ACCEPTED into proposed-updates->stable-new
Next by Date: apr_1.7.0-6+deb11u1_sourceonly.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Previous by thread: apr_1.7.0-6+deb11u1_sourceonly.changes ACCEPTED into proposed-updates->stable-new
Next by thread: apr_1.7.0-6+deb11u1_sourceonly.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Index(es):
- Date
- Thread