Bug 1980328 (CVE-2021-35940) - CVE-2021-35940 apr: Regression of CVE-2017-12613 fix in apr 1.7
Summary: CVE-2021-35940 apr: Regression of CVE-2017-12613 fix in apr 1.7
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-35940
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1996685 1998159
Blocks: 1980329
TreeView+ depends on / blocked
 
Reported: 2021-07-08 11:51 UTC by Marian Rehak
Modified: 2021-09-02 05:55 UTC (History)
14 users (show)

Fixed In Version: apr 1.7.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-26 13:46:17 UTC
Embargoed:


Attachments (Terms of Use)

Comment 2 Guilherme de Almeida Suckevicz 2021-08-23 13:19:07 UTC
Created apr tracking bugs for this issue:

Affects: fedora-all [bug 1996685]

Comment 7 Tomas Hoger 2021-08-27 08:14:04 UTC
The fix for the apr issue CVE-2017-12613 (see bug 1506523 for more details) that was applied upstream in version 1.6.3 was not applied to 1.7 branch and hence it was regressed in upstream version 1.7.0.  A new CVE-2021-35940 was assigned for the regression.

Upstream announcement:

https://www.openwall.com/lists/oss-security/2021/08/23/1

Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1891198

Upstream patch for 1.7 - it's a subset of the changes in the above commit, removing changes related to other fix included in the commit:

https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch

The fix should be included in upstream version 1.7.1, which has not been released yet.


Note You need to log in before you can comment on or make changes to this bug.