CVE-2021-35940

Published: 23 August 2021

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

Priority

Medium

CVSS 3 base score: 7.1

Status

Package Release Status
apr
Launchpad, Ubuntu, Debian
Upstream
Released (1.7.0-7)
Ubuntu 21.04 (Hirsute Hippo)
Released (1.7.0-6ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.5.2-3ubuntu0.1~esm1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.5.0-1ubuntu0.1~esm1)