Source: apr Version: 1.7.0-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for apr. CVE-2021-35940[0]: | An out-of-bounds array read in the apr_time_exp*() functions was fixed | in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix | for this issue was not carried forward to the APR 1.7.x branch, and | hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to | the same issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-35940 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940 [1] https://www.openwall.com/lists/oss-security/2021/08/23/1 Regards, Salvatore