/[Apache-SVN]
ViewVC logotype

Revision 1891198

Jump to revision: Previous Next
Author: jorton
Date: Fri Jul 2 11:10:33 2021 UTC (2 years, 9 months ago)
Changed paths: 4
Log Message: 
Merge r1889604, r1807975 from trunk:

* random/unix/sha2.c (apr__SHA256_Final, apr__SHA256_End): Fix parameter
  buffer lengths to match declaration, avoiding GCC 11 warning.
  (no functional change)

SECURITY: CVE-2021-35940 (cve.mitre.org)

 Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
 (This issue was addressed as CVE-2017-12613 in APR 1.6.3 and
 later 1.6.x releases, but was missing in 1.7.0.)

Bounds-check human-readable date fields (credit: Stefan Sperling)

Submitted by: jorton, niq
Reviewed by: jorton

Changed paths

Path Details
Directoryapr/apr/branches/1.7.x/ modified , props changed
Directoryapr/apr/branches/1.7.x/random/unix/sha2.c modified , text changed
Directoryapr/apr/branches/1.7.x/time/unix/time.c modified , text changed
Directoryapr/apr/branches/1.7.x/time/win32/time.c modified , text changed
infrastructure at apache.org
 ViewVC Help
Powered by ViewVC 1.1.26