You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by co...@apache.org on 2023/01/31 15:26:45 UTC
svn commit: r59755 - in /release/apr: CHANGES-APR-1.7 CHANGES-APR-UTIL-1.6
Author: covener
Date: Tue Jan 31 15:26:45 2023
New Revision: 59755
Log:
add released CVES
Modified:
release/apr/CHANGES-APR-1.7
release/apr/CHANGES-APR-UTIL-1.6
Modified: release/apr/CHANGES-APR-1.7
==============================================================================
--- release/apr/CHANGES-APR-1.7 (original)
+++ release/apr/CHANGES-APR-1.7 Tue Jan 31 15:26:45 2023
@@ -1,6 +1,16 @@
-*- coding: utf-8 -*-
Changes for APR 1.7.1
+ *) SECURITY: CVE-2022-24963 (cve.mitre.org)
+ Integer Overflow or Wraparound vulnerability in apr_encode functions of
+ Apache Portable Runtime (APR) allows an attacker to write beyond bounds
+ of a buffer.
+
+ *) SECURITY: CVE-2022-28331 (cve.mitre.org)
+ On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond
+ the end of a stack based buffer in apr_socket_sendv(). This is a result
+ of integer overflow.
+
*) SECURITY: CVE-2021-35940 (cve.mitre.org)
Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
(This issue was addressed as CVE-2017-12613 in APR 1.6.3 and
Modified: release/apr/CHANGES-APR-UTIL-1.6
==============================================================================
--- release/apr/CHANGES-APR-UTIL-1.6 (original)
+++ release/apr/CHANGES-APR-UTIL-1.6 Tue Jan 31 15:26:45 2023
@@ -1,6 +1,11 @@
-*- coding: utf-8 -*-
Changes with APR-util 1.6.2
+ *) SECURITY: CVE-2022-25147 (cve.mitre.org)
+ Integer Overflow or Wraparound vulnerability in apr_base64 functions
+ of Apache Portable Runtime Utility (APR-util) allows an attacker to
+ write beyond bounds of a buffer.
+
*) Teach configure how to find and build against MariaDB 10.2. PR 61517
[Kris Karas <bugs-a17 moonlit-rail.com>]