StarlingX

[Debian] CVE: CVE-2022-24963: apr: Integer Overflow or Wraparound vulnerability

Bug #2012866 reported by Yue Tao on 2023-03-27

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	ZhangXiao

Bug Description

CVE-2022-24963: https://nvd.nist.gov/vuln/detail/CVE-2023-25725

Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-24963 fixed 9.8 N L N N H

References:
['libapr1_1.7.0-6+deb11u1_amd64.deb===>libapr1_1.7.0-6+deb11u2_amd64.deb']

Tags:

CVE References

2022-24963

Yue Tao (wrytao) on 2023-03-27

information type:	Public → Public Security
Changed in starlingx:
status:	New → Triaged
importance:	Undecided → High
tags:	added: stx.9.0 stx.security
Changed in starlingx:
assignee:	nobody → ZhangXiao (zhangxiao-windriver)

Yue Tao (wrytao) on 2023-03-27

Changed in starlingx:
assignee:	ZhangXiao (zhangxiao-windriver) → nobody

ZhangXiao (zhangxiao-windriver) on 2023-03-27

Changed in starlingx:
assignee:	nobody → ZhangXiao (zhangxiao-windriver)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-04-03: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/879341

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-04-11: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/879341
Committed: https://opendev.org/starlingx/tools/commit/bfc56fefe6efc3abddc56308e452d51f8bad811f
Submitter: "Zuul (22348)"
Branch: master

commit bfc56fefe6efc3abddc56308e452d51f8bad811f
Author: Zhang Xiao <email address hidden>
Date: Mon Apr 3 21:14:25 2023 +0800

Debian: apr: fix CVE-2022-24963

Upgrade packages to below version to fix CVE-2022-24963:
libapr1_1.7.0-6+deb11u2_amd64.deb

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2022-24963

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build-image
    Pass: boot

Closes-bug: #2012866

Signed-off-by: Zhang Xiao <email address hidden>
Change-Id: Iba38bdadc2ded56324ef78f72e5b7a3b8e7e6834

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.