1980328 – (CVE-2021-35940) CVE-2021-35940 apr: Regression of CVE-2017-12613 fix in apr 1.7

Bug 1980328 (CVE-2021-35940) - CVE-2021-35940 apr: Regression of CVE-2017-12613 fix in apr 1.7

Summary: CVE-2021-35940 apr: Regression of CVE-2017-12613 fix in apr 1.7

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-35940
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1996685 1998159
Blocks:	1980329
TreeView+	depends on / blocked

Reported:	2021-07-08 11:51 UTC by Marian Rehak
Modified:	2021-09-02 05:55 UTC (History)
CC List:	14 users (show)
Fixed In Version:	apr 1.7.1
Clone Of:
Environment:
Last Closed:	2021-08-26 13:46:17 UTC
Embargoed:

Attachments	(Terms of Use)

Comment 2 Guilherme de Almeida Suckevicz 2021-08-23 13:19:07 UTC

Created apr tracking bugs for this issue:

Affects: fedora-all [bug 1996685]

Comment 7 Tomas Hoger 2021-08-27 08:14:04 UTC

The fix for the apr issue CVE-2017-12613 (see bug 1506523 for more details) that was applied upstream in version 1.6.3 was not applied to 1.7 branch and hence it was regressed in upstream version 1.7.0.  A new CVE-2021-35940 was assigned for the regression.

Upstream announcement:

https://www.openwall.com/lists/oss-security/2021/08/23/1

Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1891198

Upstream patch for 1.7 - it's a subset of the changes in the above commit, removing changes related to other fix included in the commit:

https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch

The fix should be included in upstream version 1.7.1, which has not been released yet.

Note You need to log in before you can comment on or make changes to this bug.