You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The osv.dev advisory for CVE-2021-35940.json lists apr-1.6.3 and apr-1.6.5 as vulnerable, but they are not vulnerable because they were fixed by CVE-2017-12613.
CVE-2021-35940 is actually the same issue as CVE-2017-12613. However, because this issue regressed in apr-1.7.0, a new CVE-ID was assigned.
However, the above patch mentions that CVE-2017-12613 was fixed in apr-1.6.3 and later, which means that apr-1.6.3 and apr-1.6.5 are not vulnerable.
I'm not sure what the solution to this is, but maybe it's adding a fixed attribute for 1.6.3 and an alias of CVE-2017-12613, depending on how the logic computes vulnerable versions.
The text was updated successfully, but these errors were encountered:
ddkilzer
changed the title
CVE-2021-35940.json lists apr-1.6.3 and apr-1.6.5 as vulnerable
CVE-2021-35940.json lists apr-1.6.3 and apr-1.6.5 as vulnerable, but they are not
Jan 2, 2023
This is based on Alpine's secfixes data, where often the exact "introduced" version is not available. These versions are also only relevant to Alpine's package manager, so they should not be relied on yet as general versions for the upstream package. This will change after #783.
It does not, the current alpine enumeration logic does not find/stop at the release commit, though I believe that can be fixed relatively easily. I'll create an issue for this.
The osv.dev advisory for CVE-2021-35940.json lists
apr-1.6.3
andapr-1.6.5
as vulnerable, but they are not vulnerable because they were fixed byCVE-2017-12613
.Explanation
Based on information from this patch: https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
CVE-2021-35940 is actually the same issue as CVE-2017-12613. However, because this issue regressed in
apr-1.7.0
, a new CVE-ID was assigned.However, the above patch mentions that
CVE-2017-12613
was fixed inapr-1.6.3
and later, which means thatapr-1.6.3
andapr-1.6.5
are not vulnerable.I'm not sure what the solution to this is, but maybe it's adding a fixed attribute for
1.6.3
and an alias ofCVE-2017-12613
, depending on how the logic computes vulnerable versions.The text was updated successfully, but these errors were encountered: