Control: tags -1 + patch On Mon, Aug 23, 2021 at 03:44:05PM +0200, Salvatore Bonaccorso wrote: > Source: apr > Version: 1.7.0-6 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for apr. > > CVE-2021-35940[0]: > | An out-of-bounds array read in the apr_time_exp*() functions was fixed > | in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix > | for this issue was not carried forward to the APR 1.7.x branch, and > | hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to > | the same issue.
proposed change in https://salsa.debian.org/apache-team/apr/-/merge_requests/8 Regards, Salvatore
