[SECURITY] [DLA 1162-1] apr security update

2017-11-0620:55:35

lists.debian.org

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:N/A:P

0.001 Low

EPSS

Percentile

26.2%

JSON

Package : apr
Version : 1.4.6-3+deb7u2
CVE ID : CVE-2017-12613
Debian Bug : #879708

It was discovered that there was an out-of-bounds memory vulnerability
in apr, a support/portability library for various applications.

When the apr_exp_time*() or apr_os_exp_time*() functions were invoked
with an invalid month field value, out of bounds memory may have been be
accessed when converting this value to an apr_time_exp_t value. This
could have potentially revealed the contents of a different static heap
value or resulted in program termination.

For Debian 7 "Wheezy", this issue has been fixed in apr version
1.4.6-3+deb7u2.

We recommend that you upgrade your apr packages.

Regards,

  ,&#x27;&#x27;`.
 : :&#x27;  :     Chris Lamb
 `. `&#x27;`      [email protected] / chris-lamb.co.uk
   `-

OSVersionArchitecturePackageVersionFilename
Debian9armellibapr1< 1.5.2-5+deb9u1libapr1_1.5.2-5+deb9u1_armel.deb
Debian9arm64libapr1< 1.5.2-5+deb9u1libapr1_1.5.2-5+deb9u1_arm64.deb
Debian7armhflibapr1-dev< 1.4.6-3+deb7u2libapr1-dev_1.4.6-3+deb7u2_armhf.deb
Debian9amd64libapr1-dev< 1.5.2-5+deb9u1libapr1-dev_1.5.2-5+deb9u1_amd64.deb
Debian9arm64libapr1-dev< 1.5.2-5+deb9u1libapr1-dev_1.5.2-5+deb9u1_arm64.deb
Debian9armhflibapr1-dbg< 1.5.2-5+deb9u1libapr1-dbg_1.5.2-5+deb9u1_armhf.deb
Debian7amd64libapr1-dbg< 1.4.6-3+deb7u2libapr1-dbg_1.4.6-3+deb7u2_amd64.deb
Debian7amd64libapr1-dev< 1.4.6-3+deb7u2libapr1-dev_1.4.6-3+deb7u2_amd64.deb
Debian7armellibapr1-dev< 1.4.6-3+deb7u2libapr1-dev_1.4.6-3+deb7u2_armel.deb
Debian7i386libapr1-dbg< 1.4.6-3+deb7u2libapr1-dbg_1.4.6-3+deb7u2_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	armel	libapr1	< 1.5.2-5+deb9u1	libapr1_1.5.2-5+deb9u1_armel.deb
Debian	9	arm64	libapr1	< 1.5.2-5+deb9u1	libapr1_1.5.2-5+deb9u1_arm64.deb
Debian	7	armhf	libapr1-dev	< 1.4.6-3+deb7u2	libapr1-dev_1.4.6-3+deb7u2_armhf.deb
Debian	9	amd64	libapr1-dev	< 1.5.2-5+deb9u1	libapr1-dev_1.5.2-5+deb9u1_amd64.deb
Debian	9	arm64	libapr1-dev	< 1.5.2-5+deb9u1	libapr1-dev_1.5.2-5+deb9u1_arm64.deb
Debian	9	armhf	libapr1-dbg	< 1.5.2-5+deb9u1	libapr1-dbg_1.5.2-5+deb9u1_armhf.deb
Debian	7	amd64	libapr1-dbg	< 1.4.6-3+deb7u2	libapr1-dbg_1.4.6-3+deb7u2_amd64.deb
Debian	7	amd64	libapr1-dev	< 1.4.6-3+deb7u2	libapr1-dev_1.4.6-3+deb7u2_amd64.deb
Debian	7	armel	libapr1-dev	< 1.4.6-3+deb7u2	libapr1-dev_1.4.6-3+deb7u2_armel.deb
Debian	7	i386	libapr1-dbg	< 1.4.6-3+deb7u2	libapr1-dbg_1.4.6-3+deb7u2_i386.deb