CVE-2021-35940.json lists apr-1.6.3 and apr-1.6.5 as vulnerable, but they are not

[ddkilzer]

The osv.dev advisory for CVE-2021-35940.json lists apr-1.6.3 and apr-1.6.5 as vulnerable, but they are not vulnerable because they were fixed by CVE-2017-12613.

Explanation

Based on information from this patch: https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch

CVE-2021-35940 is actually the same issue as CVE-2017-12613. However, because this issue regressed in apr-1.7.0, a new CVE-ID was assigned.

However, the above patch mentions that CVE-2017-12613 was fixed in apr-1.6.3 and later, which means that apr-1.6.3 and apr-1.6.5 are not vulnerable.

I'm not sure what the solution to this is, but maybe it's adding a fixed attribute for 1.6.3 and an alias of CVE-2017-12613, depending on how the logic computes vulnerable versions.

[oliverchang]

Thanks for filing this!

This is based on Alpine's secfixes data, where often the exact "introduced" version is not available. These versions are also only relevant to Alpine's package manager, so they should not be relied on yet as general versions for the upstream package. This will change after #783.

@another-rex All of our version expansion for all the Alpine versions on https://osv.dev/vulnerability/CVE-2021-35940 expands back to "1.3.3". Do all of these Alpine versions actually go back that far?

[another-rex]

It does not, the current alpine enumeration logic does not find/stop at the release commit, though I believe that can be fixed relatively easily. I'll create an issue for this.

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

[github-actions]

Automatically closing stale issue