Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

apr-util: CVE-2017-12618

Related Vulnerabilities: CVE-2017-12618   CVE-2017-12613  

Source

Debian Bug report logs - #879996
apr-util: CVE-2017-12618

version graph

Package: src:apr-util; Maintainer for src:apr-util is Debian Apache Maintainers <debian-apache@lists.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 24 Oct 2017 20:33:02 UTC

Severity: important

Tags: security, upstream

Found in versions apr-util/1.5.4-1, apr-util/1.6.0-1

Fixed in version apr-util/1.6.1-1

Done: Stefan Fritsch <sf@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#879708; Package src:apr-util. (Tue, 24 Oct 2017 20:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>. (Tue, 24 Oct 2017 20:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2017-12613 CVE-2017-12618
Date: Tue, 24 Oct 2017 22:28:02 +0200
Source: apr-util
Severity: important
Tags: security

I'm sure you're aware, but filing for completeness in the BTS anyway:
http://mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E 

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#879708; Package src:apr-util. (Tue, 24 Oct 2017 20:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Tue, 24 Oct 2017 20:39:03 GMT) (full text, mbox, link).

Message #10 received at 879708@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: 879708@bugs.debian.org
Subject: Re: Bug#879708: CVE-2017-12613 CVE-2017-12618
Date: Tue, 24 Oct 2017 22:35:37 +0200
On Tue, Oct 24, 2017 at 10:28:02PM +0200, Moritz Muehlenhoff wrote:
> Source: apr-util
> Severity: important
> Tags: security
> 
> I'm sure you're aware, but filing for completeness in the BTS anyway:
> http://mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E 

Actually CVE-2017-12618 is in apr-util and CVE-2017-12613 in apr

I don't think any of those need a DSA, but let me know if you disagree.

Cheers,
        Moritz

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 28 Oct 2017 07:30:12 GMT) (full text, mbox, link).

Marked as found in versions apr-util/1.6.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 28 Oct 2017 07:30:13 GMT) (full text, mbox, link).

Bug 879708 cloned as bug 879996 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 28 Oct 2017 07:33:05 GMT) (full text, mbox, link).

Changed Bug title to 'apr-util: CVE-2017-12618' from 'CVE-2017-12613 CVE-2017-12618'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 28 Oct 2017 07:33:09 GMT) (full text, mbox, link).

Reply sent to Stefan Fritsch <sf@debian.org>:
You have taken responsibility. (Mon, 06 Nov 2017 19:21:07 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 06 Nov 2017 19:21:07 GMT) (full text, mbox, link).

Message #23 received at 879996-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>
To: 879996-close@bugs.debian.org
Subject: Bug#879996: fixed in apr-util 1.6.1-1
Date: Mon, 06 Nov 2017 19:19:15 +0000
Source: apr-util
Source-Version: 1.6.1-1

We believe that the bug you reported is fixed in the latest version of
apr-util, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879996@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr-util package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 06 Nov 2017 19:48:34 +0100
Source: apr-util
Binary: libaprutil1 libaprutil1-ldap libaprutil1-dbd-mysql libaprutil1-dbd-sqlite3 libaprutil1-dbd-odbc libaprutil1-dbd-pgsql libaprutil1-dev libaprutil1-dbg
Architecture: source amd64
Version: 1.6.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
 libaprutil1 - Apache Portable Runtime Utility Library
 libaprutil1-dbd-mysql - Apache Portable Runtime Utility Library - MySQL Driver
 libaprutil1-dbd-odbc - Apache Portable Runtime Utility Library - ODBC Driver
 libaprutil1-dbd-pgsql - Apache Portable Runtime Utility Library - PostgreSQL Driver
 libaprutil1-dbd-sqlite3 - Apache Portable Runtime Utility Library - SQLite3 Driver
 libaprutil1-dbg - Apache Portable Runtime Utility Library - Debugging Symbols
 libaprutil1-dev - Apache Portable Runtime Utility Library - Development Headers
 libaprutil1-ldap - Apache Portable Runtime Utility Library - LDAP Driver
Closes: 879996
Changes:
 apr-util (1.6.1-1) unstable; urgency=medium
 .
   * New upstream release
     - Fixes CVE-2017-12618: Out-of-bounds access in corrupted SDBM database.
       Closes: #879996
Checksums-Sha1:
 fe26d463c1d95a9319e0b0187aacdc49703e43d7 2865 apr-util_1.6.1-1.dsc
 4cc73bc36ca697419f555476f2fc1c63df6069f4 428595 apr-util_1.6.1.orig.tar.bz2
 e0803c3de11cf90a7be5429a7f4756b3867bf056 801 apr-util_1.6.1.orig.tar.bz2.asc
 e1dac4f76f079abe53bbd7ce1a014bb3f7666329 210872 apr-util_1.6.1-1.debian.tar.xz
 9d2232cdab37e4062822c5aff9ba62393662235f 9570 apr-util_1.6.1-1_amd64.buildinfo
 b0a05f92ee3f05916afc13aed9862267daf053ab 20272 libaprutil1-dbd-mysql_1.6.1-1_amd64.deb
 6cad02399709f42fcab78609c2d76e55f23eb49e 23876 libaprutil1-dbd-odbc_1.6.1-1_amd64.deb
 3f8ed97a398914e7ca5cfbc50452eb81285129b2 20136 libaprutil1-dbd-pgsql_1.6.1-1_amd64.deb
 b1e3146a83d899242f2cc524da326e9b2c0c1b46 18172 libaprutil1-dbd-sqlite3_1.6.1-1_amd64.deb
 5a0cf339da68baa7b8ceae8d62ee89499d0141d8 338152 libaprutil1-dbg_1.6.1-1_amd64.deb
 b1572965719a95b8f8312c6f4256fce623f0c1f1 403288 libaprutil1-dev_1.6.1-1_amd64.deb
 34ef435fb0a10b4fb891bed45869e05448f957bc 16292 libaprutil1-ldap_1.6.1-1_amd64.deb
 edf494bd93a5b7ee4d5d25192907590495fbed80 91112 libaprutil1_1.6.1-1_amd64.deb
Checksums-Sha256:
 4c9f454e9750b5acda7e8959700b725a0f6256d7da0cb54ae6d5a4b61aac8deb 2865 apr-util_1.6.1-1.dsc
 d3e12f7b6ad12687572a3a39475545a072608f4ba03a6ce8a3778f607dd0035b 428595 apr-util_1.6.1.orig.tar.bz2
 47837b605290c0d7659b73734e4a9d5e6c0c24c13185cd4d91837afe63c07ca4 801 apr-util_1.6.1.orig.tar.bz2.asc
 5d0446d5832a62d6428ff408c571ff693f2aba604b2606c8f2463b2a6d8ae217 210872 apr-util_1.6.1-1.debian.tar.xz
 f12ca8edca5d45be22f6091bde0a0bd94837fe2a856a602c46138d65a25d1892 9570 apr-util_1.6.1-1_amd64.buildinfo
 ac491b8e63ad8bca0adcde6bea93681b4e8660fb2ef00c9aedcda12ced878569 20272 libaprutil1-dbd-mysql_1.6.1-1_amd64.deb
 d4db2325ab0acd673dc24cd9cfa43a8df11b0d600275cb5e07dc17400af4f2fb 23876 libaprutil1-dbd-odbc_1.6.1-1_amd64.deb
 e4ccf7ce480744411f94a0984da73a6d83e3493cc3827d8092a213a5e3d08a82 20136 libaprutil1-dbd-pgsql_1.6.1-1_amd64.deb
 5f757d0fec95c1534dbd4bcf575deb9dab43c288ce3003622008c59f22de1818 18172 libaprutil1-dbd-sqlite3_1.6.1-1_amd64.deb
 6fb15f3e6a96d5b5ec64e5547954b3d3f44ab4c7eb6311520b30a6207047865a 338152 libaprutil1-dbg_1.6.1-1_amd64.deb
 489015d6835d1299a3706230a5d05d456d08e83149946a7e0cfcc20f120af678 403288 libaprutil1-dev_1.6.1-1_amd64.deb
 8de42337352f1c94b68d9e26dd8f843e3ca5f90c9f2019a8171f1e14c024a75a 16292 libaprutil1-ldap_1.6.1-1_amd64.deb
 3972d00a4a89b995d2156bbcc2d13888b6e70bf05dabc541ee97575e69986dba 91112 libaprutil1_1.6.1-1_amd64.deb
Files:
 40acdbde7deffe5f0b62bdbb5aacdadc 2865 libs optional apr-util_1.6.1-1.dsc
 8ff5dc36fa39a2a3db1df196d3ed6086 428595 libs optional apr-util_1.6.1.orig.tar.bz2
 56d1c76f41e658277444bb744d67d43e 801 libs optional apr-util_1.6.1.orig.tar.bz2.asc
 72f6597d8e5e82f79ad0692743a7c029 210872 libs optional apr-util_1.6.1-1.debian.tar.xz
 da46a7b3b7e7eef53d4c19b452efd448 9570 libs optional apr-util_1.6.1-1_amd64.buildinfo
 c1497f99d59b3c0af056b12d81424491 20272 libs optional libaprutil1-dbd-mysql_1.6.1-1_amd64.deb
 7edbdeb2086e2ee9b61053e84398026e 23876 libs optional libaprutil1-dbd-odbc_1.6.1-1_amd64.deb
 cf3b67e362e0f072a67e37e0742ce006 20136 libs optional libaprutil1-dbd-pgsql_1.6.1-1_amd64.deb
 cdc0a8c3d753cd3d250e5ca74ca910c3 18172 libs optional libaprutil1-dbd-sqlite3_1.6.1-1_amd64.deb
 6b789690235d5121bb2700c92cd89106 338152 debug optional libaprutil1-dbg_1.6.1-1_amd64.deb
 da3bbc4168862e27ea0dd88b3d9e3df1 403288 libdevel optional libaprutil1-dev_1.6.1-1_amd64.deb
 6974d5d4746d14c627d0cb74334f179f 16292 libs optional libaprutil1-ldap_1.6.1-1_amd64.deb
 b82530fef5dc3ff4accbd64f20f3bd4c 91112 libs optional libaprutil1_1.6.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAloAs0cACgkQxodfNUHO
/eBN/xAAnqGn15n6YZcw1cvOuPHzMT5gQ46Tyr4xX2etICY2L9QBpf7hHUfMIxO5
vkk5cfoDpgpH499AUwS9/074Rx2WWqGyBRCCO/zSF1AvoQhkyKmDvEni2N5JbbnK
BcMKf2xytzdQgmfYq2+fSltYqB10q6tgNtIVXI5bYgGrCJ5ON17oP8Hu3wONIoV7
ZxPOHX/2E1Hc1FIS+ZozCppCdtGur9fL0qlugsGA+6bi9Ab1sMULHtQZHbA5Jh4R
dzxJaGurhuFzgdKP2n7LeN8TpBRilQcO8ROTQXBAU69WAMyD7VKgLDUhr+UnnsaJ
tGETYZyJhE+nUVWgujuxIB9tmLGkHPwIxXAc5pbC1xsCiRkFfSDAod7vMEG0wJKI
2qpI7gAJLxc512Kw5na2uGlvqAdn87V8qoyL8Ag1sixaU0+X9nJas9lmkxB0HR4Q
aoShFg4oyzx6EeBXf5ikHWv9/A187vJYv1UQCp4/8efy2wEMg481bDNx4gYFsuSs
oFmQbw/thlMjc7visckJ6Q97CyUBnrIDk8DVBvxDnAgtQXD27CTvV7KdWpkhM+zH
UVrA6GMXL+w9bm5TYUOs0lOTfyNo85B9mg6iP+bl4KuwIKf4WAMMsbFrVeOl40IK
hsP3hK+jEBh0dmGC1gBeMpK3ftdINhLTcYt/Hv3OO53nbwkS+T0=
=yJBu
-----END PGP SIGNATURE-----

Marked as found in versions apr-util/1.5.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 07 Nov 2017 05:15:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Dec 2017 07:30:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:06:18 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started