Bug#1080375: marked as done (apr: CVE-2023-49582)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 02 Nov 2024 19:32:08 +0000
with message-id <E1t7Jqy-00AdYW-Jm@fasolo.debian.org>
and subject line Bug#1080375: fixed in apr 1.7.2-3+deb12u1
has caused the Debian Bug report #1080375,
regarding apr: CVE-2023-49582
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1080375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080375
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apr: CVE-2023-49582
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Tue, 03 Sep 2024 08:09:47 +0200
• Message-id: <172534378785.983053.11036903807075553433.reportbug@elende.valinor.li>

Source: apr
Version: 1.7.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for apr.

CVE-2023-49582[0]:
| Lax permissions set by the Apache Portable Runtime library on Unix
| platforms would allow local users read access to named shared memory
| segments, potentially revealing sensitive application data.   This
| issue does not affect non-Unix platforms, or builds
| with APR_USE_SHMEM_SHMGET=1 (apr.h)  Users are recommended to
| upgrade to APR version 1.7.5, which fixes this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49582
    https://www.cve.org/CVERecord?id=CVE-2023-49582
[1] https://lists.apache.org/thread/h5f1c2dqm8bf5yfosw3rg85927p612l0

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1080375-close@bugs.debian.org
• Subject: Bug#1080375: fixed in apr 1.7.2-3+deb12u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 02 Nov 2024 19:32:08 +0000
• Message-id: <E1t7Jqy-00AdYW-Jm@fasolo.debian.org>
• Reply-to: Salvatore Bonaccorso <carnil@debian.org>

Source: apr
Source-Version: 1.7.2-3+deb12u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1080375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 31 Oct 2024 21:08:12 +0100
Source: apr
Architecture: source
Version: 1.7.2-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1080375
Changes:
 apr (1.7.2-3+deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload.
   * Use 0600 perms for named shared mem consistently (CVE-2023-49582)
     (Closes: #1080375)
Checksums-Sha1:
 ef2707f57478ba375079d336af5004764bcb2404 2448 apr_1.7.2-3+deb12u1.dsc
 5ba3bd9caddb2ac6e9dd0f5a6bcdfce623bdd0ae 55196 apr_1.7.2-3+deb12u1.debian.tar.xz
 3979fbc4cf07947f20c26ca5cab7653d507b1d8d 8018 apr_1.7.2-3+deb12u1_source.buildinfo
Checksums-Sha256:
 b1ed0103f7016e008e97f758a2fa2a796d1ac2ae880a7357a00ae2dddcb1a66b 2448 apr_1.7.2-3+deb12u1.dsc
 8fa6328a8211fd6d2edcb972503f355509eda5d829cf3bd86a275ad49b81a424 55196 apr_1.7.2-3+deb12u1.debian.tar.xz
 2a35bdfc2e0df7808d5648b6bcda14dca14be7e69ffa3f8e71f61b755293ea95 8018 apr_1.7.2-3+deb12u1_source.buildinfo
Files:
 9554738a3d2883571b37c69848629d7f 2448 libs optional apr_1.7.2-3+deb12u1.dsc
 d68eb92e3eb8ad3083ed7078c3b34b64 55196 libs optional apr_1.7.2-3+deb12u1.debian.tar.xz
 51712fe353bb60466755d0ec4de2829e 8018 libs optional apr_1.7.2-3+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmcj5EhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EqcUP/0MyxnyVfYcfBEVb99XM9inF7pLGpcU/
gvuqwnfsNJ2PwKQftkSM0ijkgihEzWVvau6pGi+3ayn9Z9Ogve50RR/eL0oQd21e
Ux5Ymbxmiy+saEBIeaNXUceU7r8FUuCHT2TWiTmmRmUyLVK0fqjYMCdE41+bs3q4
rLVCd48GepRn2xLd7Xp7v8gUb89TYGJrU29Hc9JJdmy2iHjGN1uSkMXcIlhzejDB
eBEQq9slQKZEhFfpt+LwSH9N3D+aTu/EZsHVYBX6xo1UIfDzbH48JZNnOv8Dfi2x
dg3QdGDrxBD5O8oXvX+FIQVBOEubJqsWRwslGRpsJbudq/KABhukApIAD6Hhapds
6Z+ZOsu6jMTLdQWx3YG9JI2+mVDhyIJYTQgdgttbCrpqy5z6853t1QL2Xv0w+4G/
rWHYRHvlPKVtIpLwY4rCzoBduYQZHGA3Qzn/YFAHuFoHGqSt2bqJZ52p6cDa1Maa
Wl9suTLFnMAD929ff5CyUnyR30kw20XP+vPgRBzBM92QmYfrLidzvb5XqNr5cXTI
lSrrzoDFD5EbSz9Kn96g3DkXaGvP1PXANxt3ShQmBl1XH+VnnfCshAWlL9+zBRpE
kycPxKJ8AcldLqKzrwHxronmD3pIzNa+SSv+PhMRU6KqcUhsm8LPEeWjEy9G25Pq
DaN8CjSc3YDj
=wfjk
-----END PGP SIGNATURE-----

Attachment: pgpN_kjD7Ohtj.pgp
Description: PGP signature

--- End Message ---