Your submission was sent successfully! Close

CVE-2021-35940

Published: 23 August 2021

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

Notes

AuthorNote
leosilva
the fix was removed in 1.7.x branches, but it is addressed
in 1.6.x and later.
xenial and trusty/esm are affected.
Priority

Medium

CVSS 3 base score: 7.1

Status

Package Release Status
apr
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal Not vulnerable

hirsute
Released (1.7.0-6ubuntu0.1)
impish
Released (1.7.0-6ubuntu1)
jammy
Released (1.7.0-6ubuntu1)
trusty
Released (1.5.0-1ubuntu0.1~esm1)
upstream
Released (1.7.0-7)
xenial
Released (1.5.2-3ubuntu0.1~esm1)