UBUNTU-CVE-2021-35940

An out-of-bounds array read in the aprtimeexp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

References

Affected packages

Ubuntu:Pro:14.04:LTS / apr

Package

Name: apr
Purl: pkg:deb/ubuntu/apr@1.5.0-1ubuntu0.1~esm1?arch=source&distro=trusty/esm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.0-1ubuntu0.1~esm1

Affected versions

1.*

1.4.8-1ubuntu1

1.4.8-2

1.4.8-3

1.5.0-1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "libapr1",
            "binary_version": "1.5.0-1ubuntu0.1~esm1"
        },
        {
            "binary_name": "libapr1-dbg",
            "binary_version": "1.5.0-1ubuntu0.1~esm1"
        },
        {
            "binary_name": "libapr1-dbgsym",
            "binary_version": "1.5.0-1ubuntu0.1~esm1"
        },
        {
            "binary_name": "libapr1-dev",
            "binary_version": "1.5.0-1ubuntu0.1~esm1"
        },
        {
            "binary_name": "libapr1-dev-dbgsym",
            "binary_version": "1.5.0-1ubuntu0.1~esm1"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / apr

Package

Name: apr
Purl: pkg:deb/ubuntu/apr@1.5.2-3ubuntu0.1~esm1?arch=source&distro=esm-infra/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.2-3ubuntu0.1~esm1

Affected versions

1.*

1.5.2-3

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "libapr1",
            "binary_version": "1.5.2-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "libapr1-dbg",
            "binary_version": "1.5.2-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "libapr1-dbgsym",
            "binary_version": "1.5.2-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "libapr1-dev",
            "binary_version": "1.5.2-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "libapr1-dev-dbgsym",
            "binary_version": "1.5.2-3ubuntu0.1~esm1"
        }
    ]
}

Ubuntu:22.04:LTS / apr

Package

Name: apr
Purl: pkg:deb/ubuntu/apr@1.7.0-6ubuntu1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.0-6ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "libapr1",
            "binary_version": "1.7.0-6ubuntu1"
        },
        {
            "binary_name": "libapr1-dbgsym",
            "binary_version": "1.7.0-6ubuntu1"
        },
        {
            "binary_name": "libapr1-dev",
            "binary_version": "1.7.0-6ubuntu1"
        }
    ]
}