Debian Bug report logs -
#879708
apr: CVE-2017-12613
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 24 Oct 2017 20:33:02 UTC
Severity: important
Tags: security, upstream
Found in versions apr/1.6.2-1, apr/1.5.1-3
Fixed in version apr/1.6.3-1
Done: Stefan Fritsch <sf@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#879708; Package src:apr-util.
(Tue, 24 Oct 2017 20:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Tue, 24 Oct 2017 20:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: apr-util
Severity: important
Tags: security
I'm sure you're aware, but filing for completeness in the BTS anyway:
http://mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#879708; Package src:apr-util.
(Tue, 24 Oct 2017 20:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Tue, 24 Oct 2017 20:39:03 GMT) (full text, mbox, link).
Message #10 received at 879708@bugs.debian.org (full text, mbox, reply):
On Tue, Oct 24, 2017 at 10:28:02PM +0200, Moritz Muehlenhoff wrote:
> Source: apr-util
> Severity: important
> Tags: security
>
> I'm sure you're aware, but filing for completeness in the BTS anyway:
> http://mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E
Actually CVE-2017-12618 is in apr-util and CVE-2017-12613 in apr
I don't think any of those need a DSA, but let me know if you disagree.
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2017 07:30:12 GMT) (full text, mbox, link).
Marked as found in versions apr-util/1.6.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2017 07:30:13 GMT) (full text, mbox, link).
Bug 879708 cloned as bug 879996
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2017 07:33:05 GMT) (full text, mbox, link).
Bug reassigned from package 'src:apr-util' to 'src:apr'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2017 07:33:06 GMT) (full text, mbox, link).
No longer marked as found in versions apr-util/1.6.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2017 07:33:07 GMT) (full text, mbox, link).
Marked as found in versions apr/1.6.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2017 07:33:07 GMT) (full text, mbox, link).
Changed Bug title to 'apr: CVE-2017-12613' from 'CVE-2017-12613 CVE-2017-12618'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Oct 2017 07:33:08 GMT) (full text, mbox, link).
Reply sent
to Stefan Fritsch <sf@debian.org>:
You have taken responsibility.
(Mon, 06 Nov 2017 19:36:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 06 Nov 2017 19:36:07 GMT) (full text, mbox, link).
Message #29 received at 879708-close@bugs.debian.org (full text, mbox, reply):
Source: apr
Source-Version: 1.6.3-1
We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 879708@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Nov 2017 20:07:42 +0100
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source amd64
Version: 1.6.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
libapr1 - Apache Portable Runtime Library
libapr1-dbg - Apache Portable Runtime Library - Debugging Symbols
libapr1-dev - Apache Portable Runtime Library - Development Headers
Closes: 879708
Changes:
apr (1.6.3-1) unstable; urgency=medium
.
* New upstream version
- Fixes CVE-2017-12613: Out-of-bounds array deref in apr_time_exp*
functions. Closes: #879708
* Replace obsolete priority extra with optional.
Checksums-Sha1:
7548e0ff3d9d67b894681daf411d13114381eb85 2319 apr_1.6.3-1.dsc
4f3aa8d8204a2674868b9d485c11349e1848987d 854100 apr_1.6.3.orig.tar.bz2
96e88e4f07335053be605bf6f3983103b6da6926 801 apr_1.6.3.orig.tar.bz2.asc
45a03eae5cedd38d055fd9f577c85d6fb48c4e28 212956 apr_1.6.3-1.debian.tar.xz
48a20b6f0906b0c5c97ec538d6495db1df558fa1 6831 apr_1.6.3-1_amd64.buildinfo
5ae8a697e3ed1b5a34d9cd574aa9740e073cb542 288080 libapr1-dbg_1.6.3-1_amd64.deb
43d76fa2ddf1eea56c6cc863087339f7bcdbeb1b 704048 libapr1-dev_1.6.3-1_amd64.deb
c15c2efe778f03c19d01769d998daf0bf298696a 100436 libapr1_1.6.3-1_amd64.deb
Checksums-Sha256:
4053fe879e73b58b85b9faef47f88f3f2f5b416ea57df2eb9617e6313e16b33d 2319 apr_1.6.3-1.dsc
131f06d16d7aabd097fa992a33eec2b6af3962f93e6d570a9bd4d85e95993172 854100 apr_1.6.3.orig.tar.bz2
33db39162f7ca9acdccaa4f19630a67045542791b262116d3512c8b5d7c3fca1 801 apr_1.6.3.orig.tar.bz2.asc
81c13e7277db373f6b72279caa576c9cd91a9902c8798d628e2c2d504962eb8e 212956 apr_1.6.3-1.debian.tar.xz
13c8fdd1eb75a3712388efd0c324fa522b255fa554b8c0c8510a08bc0f2e7926 6831 apr_1.6.3-1_amd64.buildinfo
2c3c43573a2c3129b44faa38ba133c436d199004e946ca1d19671efba4936a05 288080 libapr1-dbg_1.6.3-1_amd64.deb
798203f30e4b0c4ee40b499f901e9c9919fea116b40b641b64d913f1756288b2 704048 libapr1-dev_1.6.3-1_amd64.deb
db7f608eec6e3354aeb559ac7072bfee5ad0aa982bccf67fa6491eab7cdb0e51 100436 libapr1_1.6.3-1_amd64.deb
Files:
5af4f8274f37af1136be6b8053538c62 2319 libs optional apr_1.6.3-1.dsc
12f2a349483ad6f12db49ba01fbfdbfa 854100 libs optional apr_1.6.3.orig.tar.bz2
51443db1316879ba2e0c1ad1f6ca263f 801 libs optional apr_1.6.3.orig.tar.bz2.asc
f093d07190bbd8bee385bee6b7dddf95 212956 libs optional apr_1.6.3-1.debian.tar.xz
3b6c62d602bcf2e9749fc1c6513e1280 6831 libs optional apr_1.6.3-1_amd64.buildinfo
f99c9f4f7ec5af80ec67e138bf4949fc 288080 debug optional libapr1-dbg_1.6.3-1_amd64.deb
4a449641e30594303c232feb2461be01 704048 libdevel optional libapr1-dev_1.6.3-1_amd64.deb
1502781e8eb5ab32c9154d3b4bde9e7c 100436 libs optional libapr1_1.6.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAloAs74ACgkQxodfNUHO
/eAAJRAAsxO2r+9JW31AYB7W18EjBrnj/MtiKOD1KYY2rHf7Pqe+H8dWP4dUjiOK
nIpk9egNJLYS+C78D8DTeFmijdvGw2lTis5cmsh6xYRDpHWklNR+5W2p5xPS+3rI
NzEH6CPgcknjIFesazLBfINOF56AcLUEuiGBy3h+vXybB5sv26EdTF8KJmiUIqnV
g7ebHdLrnhJPP5UEd2yM3rHmKf8/yj5i+MWGMuQ3nEu/HmXQ3i4sTeDJeRH1WVIj
JRPyd/9u7KAOqdzqALmJJYUlUUGqtyLOgim/fzkMn6I0rzBhEVCb4V7P/SiTCpdZ
aZpnL6XvIxwNoLLbk7dESZsTpBkmtlqB+rDiosqeFz7Z9++EgiGhmoo1SG9jL70l
WDg1SkYZVHuZUScqSRvumQzwmscMPWDiB8PP/Xb8DTHEyEK+3PC+r/8rJIJJFrG/
XBT9owhuVQM5SZ1r97YXySUChd5aJI2l1ZTWXoDsXrvr69OVhV4zLckzVEpAiiID
a37eba2ZSTLTj3B1cmf2jmmZ56anWLunqkPQTFa1O455CkB9W8pksFxprUyyjmUj
Ca+7d8mPICqRmhZE79Xi3cQspu9YGBOjcKrOC8Wm3uC92iNcZUpZ7R95ED8CY+gE
kdM+11NpXnSdAD3HKLzwv/Ic28X5KOBxWdUWSILKI99EZKzvdpI=
=odcT
-----END PGP SIGNATURE-----
Marked as found in versions apr/1.5.1-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 06 Nov 2017 21:12:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 10 Dec 2017 07:25:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:46:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon