This got broken again by the upgrade to 1.7.0, as the fix never made its way into the 1.7 branch. Apache has issued an advisory for this today: https://www.openwall.com/lists/oss-security/2021/08/23/1 Mageia 8 is also affected. +++ This bug was initially created as a clone of Bug #22017 +++ Fedora has issued an advisory on November 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWFCC4MZWCXHD25BGQ26Z5VI7O6YH5WV/ Mageia 5 is also affected. The issue was fixed upstream in 1.6.3. The RedHat bug contains a link to the upstream commit that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1506523#c7
Whiteboard: (none) => MGA8TOOVersion: 6 => CauldronStatus comment: (none) => Patch available from upstream
This fatherless SRPM has been committed by many different people, so having to assign the bug globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. (CVE-2021-35940) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940 https://www.openwall.com/lists/oss-security/2021/08/23/1 ======================== Updated packages in core/updates_testing: ======================== lib(64)apr1_0-1.7.0-3.1.mga8 lib(64)apr-devel-1.7.0-3.1.mga8 from SRPM: apr-1.7.0-3.1.mga8.src.rpm
CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Patch available from upstream => (none)CVE: (none) => CVE-2021-35940
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
mga8, x64 This seems to be intended as a universal API for programmers needing to interface with different platforms without having to know too much about the underlying details. It is purely development stuff. The top-level apr.h file contains over 600 defines and typedefs. Not surprising to see that it is required by development packages only. $ urpmq --whatrequires-recursive lib64apr1_0 | sort -u apache-devel apache-mod_perl-devel lib64apr-devel lib64apr-util-devel lib64svncpp-devel subversion-devel All we can do is demonstrate a clean install. lib64apr1_0 already on board. Installed the devel package and updated. qarepo and MageiaUpdate - no problems. $ rpm -qa | grep apr lib64apr-util1_0-1.6.1-4.mga8 lib64apr1_0-1.7.0-3.1.mga8 lib64apr-devel-1.7.0-3.1.mga8 $ urpmq -i lib64apr-util1_0 ........ Summary : Apache Portable Runtime Utility library Description : The mission of the Apache Portable Runtime (APR) is to provide a free library of C data structures and routines. This library contains additional utility interfaces for APR; including support for XML, LDAP, database interfaces, URI parsing and more. ......... Support for LDAP, MySQL, Oracle, sqlite3 and others can be enabled. Giving this the green light.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Ubuntu has issued an advisory for this on August 30: https://ubuntu.com/security/notices/USN-5056-1
RedHat has issued an advisory on August 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6FWFN6CSD2CNV63HOPH57T3CQKYKELVR/ Do we have these coverity cleanups included?
(In reply to David Walser from comment #5) > Do we have these coverity cleanups included? No, we don't. I only added a patch for CVE-2021-35940. Do you want I add the patch for those cleanups and push a new release?
Yes please.
Suggested advisory: ======================== The updated packages fix a security vulnerability: An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. (CVE-2021-35940) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940 https://www.openwall.com/lists/oss-security/2021/08/23/1 https://ubuntu.com/security/notices/USN-5056-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6FWFN6CSD2CNV63HOPH57T3CQKYKELVR/ ======================== Updated packages in core/updates_testing: ======================== lib(64)apr1_0-1.7.0-3.2.mga8 lib(64)apr-devel-1.7.0-3.2.mga8 from SRPM: apr-1.7.0-3.2.mga8.src.rpm
Whiteboard: MGA8-64-OK => (none)
Thanks Nicolas. Len, Apache uses this library, so you can test with that.
mga8, x64 httpd running fine. Installed the updates and restarted apache. localhost says "It works!". In no position to get the server to use libapr but Firefox functions properly. Checked a few links, bookmarks, Gmail account, logged in to my router, read Ruby Weekly and watched DUST videos on Youtube. Ran PhpMyAdmin; opened an earlier test database. Hoping this is a sufficient test.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 8.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0428.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED