Debian Bug report logs -
#992789
apr: CVE-2021-35940
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 23 Aug 2021 13:48:02 UTC
Severity: important
Tags: patch, pending, security, upstream
Found in version apr/1.7.0-6
Fixed in version apr/1.7.0-7
Done: Yadd <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#992789; Package src:apr.
(Mon, 23 Aug 2021 13:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Mon, 23 Aug 2021 13:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: apr
Version: 1.7.0-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for apr.
CVE-2021-35940[0]:
| An out-of-bounds array read in the apr_time_exp*() functions was fixed
| in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix
| for this issue was not carried forward to the APR 1.7.x branch, and
| hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to
| the same issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-35940
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940
[1] https://www.openwall.com/lists/oss-security/2021/08/23/1
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#992789; Package src:apr.
(Mon, 23 Aug 2021 20:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Mon, 23 Aug 2021 20:57:02 GMT) (full text, mbox, link).
Message #10 received at 992789@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + patch
On Mon, Aug 23, 2021 at 03:44:05PM +0200, Salvatore Bonaccorso wrote:
> Source: apr
> Version: 1.7.0-6
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for apr.
>
> CVE-2021-35940[0]:
> | An out-of-bounds array read in the apr_time_exp*() functions was fixed
> | in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix
> | for this issue was not carried forward to the APR 1.7.x branch, and
> | hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to
> | the same issue.
proposed change in https://salsa.debian.org/apache-team/apr/-/merge_requests/8
Regards,
Salvatore
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 992789-submit@bugs.debian.org.
(Mon, 23 Aug 2021 20:57:02 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#992789.
(Tue, 24 Aug 2021 07:03:04 GMT) (full text, mbox, link).
Message #15 received at 992789-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #992789 in apr reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/apache-team/apr/-/commit/f7261308b209450139ab045e38cfd05489fd5976
------------------------------------------------------------------------
Out-of-bounds array dereference in apr_time_exp*() functions (CVE-2021-35940)
Closes: #992789
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/992789
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 992789-submitter@bugs.debian.org.
(Tue, 24 Aug 2021 07:03:04 GMT) (full text, mbox, link).
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Tue, 24 Aug 2021 07:21:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 24 Aug 2021 07:21:09 GMT) (full text, mbox, link).
Message #22 received at 992789-close@bugs.debian.org (full text, mbox, reply):
Source: apr
Source-Version: 1.7.0-7
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 992789@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated apr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 24 Aug 2021 08:59:10 +0200
Source: apr
Architecture: source
Version: 1.7.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 981738 992789
Changes:
apr (1.7.0-7) unstable; urgency=medium
.
* Team upload
.
[ Helmut Grohne ]
* Annotate test dependencies netbase and net-tools <!nocheck>.
Closes: #981738
.
[ Salvatore Bonaccorso ]
* Out-of-bounds array dereference in apr_time_exp*() functions
(CVE-2021-35940) (Closes: #992789)
Checksums-Sha1:
5a6133d1e309d7f909b9476303c3a74826cc5054 2272 apr_1.7.0-7.dsc
04d90236334e69d513d521d373859b4426015cba 214920 apr_1.7.0-7.debian.tar.xz
Checksums-Sha256:
303d4fefd0c983f8c8a65b693f3ecd7efdc4e9824b5381f6fbb8ab91f38a2ada 2272 apr_1.7.0-7.dsc
ee74eda7e216fa5c5949d73cda4be08f44189b3d64d3bea710fad4f794754b0f 214920 apr_1.7.0-7.debian.tar.xz
Files:
412c9a7d11942ac65f84a7975e1a34d9 2272 libs optional apr_1.7.0-7.dsc
3d13db39982aa40aea98b15da9616387 214920 libs optional apr_1.7.0-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmEkmqkACgkQ9tdMp8mZ
7umc+g/+PFZ9RPQIVCm/naRob6vFDt8djnfXV8P808N3ezwf7UN4V8Y+QShsZHWk
XEHkeWD6iSWp6zCnRLGP7SR/je7HFS+znl1YR391iTj3dvBziqX/RDta1zAzuQ4q
+lI6tj9RZLmJNVONYz/lnQ+i9S5jcWHqe3/aKP+zvAbjE4FZ0Gcfov7SoMJCY/Kg
vAxEtC41WiSAdcjS35mK/8Uz9dgT1kV6QMOhIbR8wVbstodTXoCvBkrLLA4dwBlg
kpR68uYd//zYUhFSelHrteWBCWgoQNcnsUH1JNqai8xmxtd8w9H3TGRjD3Ab8BLr
odSz2sWBqzn9KzFBI6ObFfJuPplyrr+QlS1rkSoQ6Qu7RpBPYyIf18OK9DrKZgcE
6xnXru+kkO8Qy8ANFoOPeUKnMAGZTziH+ggaBSn+AZFykZbN6D9d+peXg7AURySS
tKP2BAVDtvHfEw9DWHIlOwSa4cnF0nFOiIV8gtGTGJEzCXOB71HalJDhb5AtS+Yu
FrNWFJYg80qPfYMDmBFq9nppQz2FLBz/LROOYBpzftA+0w650ckUlf8rhBwKk+3A
ZDmcEphIIRV71nYGdhf7GmauB22nVHXpmO296ay0FQD/ja2TTg6ZcDKpKjEZf547
b+S1FZR4AZtN0PMRe93GkNnBeAvPAydiFEFs9Nwb3UIXnmDDes0=
=VZqK
-----END PGP SIGNATURE-----
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#992789.
(Tue, 24 Aug 2021 07:21:11 GMT) (full text, mbox, link).
Message #25 received at 992789-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #992789 in apr reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/apache-team/apr/-/commit/c548b3da9ddf01daaeb2d2f6d37c3850e73bef18
------------------------------------------------------------------------
Out-of-bounds array dereference in apr_time_exp*() functions (CVE-2021-35940)
Closes: #992789
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/992789
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 992789-submitter@bugs.debian.org.
(Tue, 24 Aug 2021 07:21:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Aug 24 08:33:27 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon