|Description||An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
[bullseye] - apr <no-dsa> (Minor issue)
[buster] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
[stretch] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
The issue exists because the CVE-2017-12613 fix was not carried forward
in the APR 1.7.x branch and hence version 1.7.0 regressed from 1.6.3
and so vulnerable to the same issue.