CVE-2021-35940: 
Linux Debian vulnerability analysis and mitigation

An out-of-bounds array read vulnerability (CVE-2021-35940) was identified in the apr_time_exp*() functions of Apache Portable Runtime (APR). This vulnerability is particularly notable as it represents a regression of a previously fixed issue (CVE-2017-12613) that was addressed in APR version 1.6.3. The fix was not properly carried forward to the APR 1.7.x branch, making version 1.7.0 vulnerable to the same issue (CVE Mitre, OSS Security).

The vulnerability specifically affects the apr_time_exp*() functions in the Apache Portable Runtime. The issue manifests as an out-of-bounds array read, which was initially fixed in version 1.6.3 but regressed in version 1.7.0 due to the fix not being properly ported to the 1.7.x branch. The vulnerability requires validation of array bounds in time-related functions (Apache Patch).

The vulnerability could potentially lead to information disclosure through out-of-bounds array reads in time-related functions. This could affect applications using the Apache Portable Runtime library for time calculations and manipulations (Debian Security).

The primary mitigation is to upgrade to a patched version of APR. A patch has been released to address this vulnerability, and it has been backported to affected versions. For version 1.7.0, a specific patch (apr-1.7.0-CVE-2021-35940.patch) is available to address this issue (Apache Patch).