You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@apr.apache.org by jo...@apache.org on 2021/08/20 13:33:01 UTC

svn propchange: r1891198 - svn:log

Author: jorton
Revision: 1891198
Modified property: svn:log

Modified: svn:log at Fri Aug 20 13:33:01 2021
------------------------------------------------------------------------------
--- svn:log (original)
+++ svn:log Fri Aug 20 13:33:01 2021
@@ -4,6 +4,12 @@ Merge r1889604, r1807975 from trunk:
   buffer lengths to match declaration, avoiding GCC 11 warning.
   (no functional change)
 
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+
+ Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
+ (This issue was addressed as CVE-2017-12613 in APR 1.6.3 and
+ later 1.6.x releases, but was missing in 1.7.0.)
+
 Bounds-check human-readable date fields (credit: Stefan Sperling)
 
 Submitted by: jorton, niq