logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: High vulnerabilities present with the Apache 2.4.52 package.
Author
ranajitp2



Joined: 11 Jan 2022
Posts: 2
Location: India
PostPosted: Tue 11 Jan '22 14:22    Post subject: High vulnerabilities present with the Apache 2.4.52 package. Reply with quote
The latest Apache 2.4.52 has the below vulnerabilities. Are we planning to fix these issues? Any tentative timeline would help.

Thanks in anticipation.

Module: Apache Portable Runtime Utility Library
Version: 1.6.1
CVE: CVE-2017-12613
Score: High 7.1
Description: When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.

-----------------
Module: Apache Portable Runtime
Version: 1.7.0
CVE: CVE-2021-35940 (BDSA-2021-2583)
Score: High 7.1
Description: An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 677
PostPosted: Tue 11 Jan '22 15:57    Post subject: Reply with quote
Better to post this at the developer list:

https://apr.apache.org/mailing-lists.html

Last edited by admin on Wed 12 Jan '22 9:58; edited 1 time in total
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
PostPosted: Tue 11 Jan '22 21:38    Post subject: Reply with quote
The Apache/APR devs are already aware of this:
https://lists.apache.org/thread/ss0nglnp8dqy3jjw2mr1tltf1dwpd39f
Fixes are here: http://svn.apache.org/viewvc?view=revision&revision=1891198

But the changes never reached an APR 1.7.1 release:
https://www.mail-archive.com/dev@httpd.apache.org/msg75471.html
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU
PostPosted: Wed 12 Jan '22 19:43    Post subject: Reply with quote
https://lists.apache.org/thread/28yp4jqxb799mzdj9fjfc373ojnkplr8
Quote:
I already backported the unix socket changes to 1.7.x, though Ivan objected already given the non trivial changes. I'd like it to be in 1.7.1 (mainly because of the new atomic/once wakeup which is useful for httpd's mpm_event usage), but not a strong opinion either so I could revert it's an uncomfortable change.

Besides, current 1.7.x is not a minimal change already w.r.t. 1.7.0, some not-so-trivial backports are to address issues raised by running ASAN built APR and httpd through their test suites (namely apr_pool's r1884100, apr_thread's r1884103, apr_thread_pool's r1884110). Those have landed for quite some time now, but more eyes are always welcome.
Quote:
So yes, I'd be grateful for your help, and more than happy to help you Smile
Great, let's go whenever you have the time for it Wink
Back to top


Reply to topic   Topic: High vulnerabilities present with the Apache 2.4.52 package. View previous topic :: View next topic
Post new topic   Forum Index -> Apache