libapr-1.so is vulnerable to out-of-bounds read. A malicious user can pass a invalid month value to the apr_time_exp*()
or the apr_os_exp_time*()
functions to cause an out-of-bounds read that can lead to sensitive information being disclosed or the application crashing.
www.apache.org/dist/apr/Announcement1.x.html
www.openwall.com/lists/oss-security/2021/08/23/1
www.securityfocus.com/bid/101560
www.securitytracker.com/id/1042004
access.redhat.com/documentation/en/red-hat-jboss-core-services/
access.redhat.com/errata/RHSA-2017:3270
access.redhat.com/errata/RHSA-2017:3475
access.redhat.com/errata/RHSA-2017:3476
access.redhat.com/errata/RHSA-2017:3477
access.redhat.com/errata/RHSA-2018:0316
access.redhat.com/errata/RHSA-2018:0465
access.redhat.com/errata/RHSA-2018:0466
access.redhat.com/errata/RHSA-2018:1253
access.redhat.com/security/updates/classification/#important
issues.jboss.org/browse/JBCS-402
lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E
lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757defa05cc766339@%3Ccommits.apr.apache.org%3E
lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e@%3Cdev.apr.apache.org%3E
lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8@%3Cdev.apr.apache.org%3E
lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b@%3Cannounce.apache.org%3E
lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b21823fffe27d4691e9@%3Ccommits.apr.apache.org%3E
lists.debian.org/debian-lts-announce/2017/11/msg00005.html
lists.debian.org/debian-lts-announce/2022/01/msg00023.html
svn.apache.org/viewvc?view=revision&revision=1807976