Description Agostino Sarubbo 2017-10-24 06:46:37 UTC

From ${URL} :


The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of version
1.6.3 of the Apache Portable Runtime library (APR), as well as
version 1.6.1 of the APR Utility library (APR-util) and version
1.2.2 of the APR iconv library (APR-iconv).

APR 1.6.1 release addresses one security vulnerability;

  CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.

  APR-util 1.6.0 and prior failed to validate the integrity of SDBM
  database files used by apr_sdbm*() functions, resulting in a
  possible out of bound read access. A local user with write access
  to the database can make a program or process using these functions
  crash, and cause a denial of service.

APR-util 1.6.3 release addresses one security vulnerability;

  CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions

  When apr_exp_time*() or apr_os_exp_time*() functions are invoked
  with an invalid month field value in APR 1.6.2 and prior, out of
  bounds memory may be accessed in converting this value to an
  apr_time_exp_t value, potentially revealing the contents of a
  different static heap value or resulting in program termination,
  and may represent an information disclosure or denial of service
  vulnerability to applications which call these APR functions with
  unvalidated external input.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.