[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992789: apr: CVE-2021-35940

Source: apr
Version: 1.7.0-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for apr.

CVE-2021-35940[0]:
| An out-of-bounds array read in the apr_time_exp*() functions was fixed
| in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix
| for this issue was not carried forward to the APR 1.7.x branch, and
| hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to
| the same issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-35940
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940
[1] https://www.openwall.com/lists/oss-security/2021/08/23/1

Regards,
Salvatore
Reply to: