Bug#1080375: apr: CVE-2023-49582

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1080375: apr: CVE-2023-49582
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 03 Sep 2024 08:09:47 +0200
Message-id: <[🔎] 172534378785.983053.11036903807075553433.reportbug@elende.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1080375@bugs.debian.org

Source: apr
Version: 1.7.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for apr.

CVE-2023-49582[0]:
| Lax permissions set by the Apache Portable Runtime library on Unix
| platforms would allow local users read access to named shared memory
| segments, potentially revealing sensitive application data.   This
| issue does not affect non-Unix platforms, or builds
| with APR_USE_SHMEM_SHMGET=1 (apr.h)  Users are recommended to
| upgrade to APR version 1.7.5, which fixes this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49582
    https://www.cve.org/CVERecord?id=CVE-2023-49582
[1] https://lists.apache.org/thread/h5f1c2dqm8bf5yfosw3rg85927p612l0

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1080375: marked as done (apr: CVE-2023-49582)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#972695: Reload or restart?
Next by Date: Processed: Add missing patch tags
Previous by thread: Bug#972695: Reload or restart?
Next by thread: Bug#1080375: marked as done (apr: CVE-2023-49582)
Index(es):
- Date
- Thread