Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in apr
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in apr
ID: MDVSA-2009:314
Distribution: Mandriva
Plattformen: Mandriva 2008.0
Datum: Fr, 4. Dezember 2009, 03:18
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
Applikationen: Apache Portable Runtime

Originalnachricht

 
This is a multi-part message in MIME format...

------------=_1259893113-24326-1591


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:314
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : apr
 Date    : December 4, 2009
 Affected: 2008.0
 _______________________________________________________________________

 Problem Description:

 Multiple security vulnerabilities has been identified and fixed in
 apr and apr-util:
 
 Multiple integer overflows in the Apache Portable Runtime (APR)
 library and the Apache Portable Utility library (aka APR-util)
 0.9.x and 1.3.x allow remote attackers to cause a denial of service
 (application crash) or possibly execute arbitrary code via vectors that
 trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc
 function in memory/unix/apr_pools.c in APR; or crafted calls to
 the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc
 function in misc/apr_rmm.c in APR-util; leading to buffer overflows.
 NOTE: some of these details are obtained from third party information
 (CVE-2009-2412).
 
 The apr_strmatch_precompile function in strmatch/apr_strmatch.c in
 Apache APR-util before 1.3.5 allows remote attackers to cause a denial
 of service (daemon crash) via crafted input involving (1) a .htaccess
 file used with the Apache HTTP Server, (2) the SVNMasterURI directive
 in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2
 module for the Apache HTTP Server, or (4) an application that uses
 the libapreq2 library, related to an underflow flaw. (CVE-2009-0023).
 
 The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
 Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
 modules in the Apache HTTP Server, allows remote attackers to
 cause a denial of service (memory consumption) via a crafted XML
 document containing a large number of nested entity references, as
 demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
 (CVE-2009-1955).
 
 Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
 before 1.3.5 on big-endian platforms allows remote attackers to obtain
 sensitive information or cause a denial of service (application crash)
 via crafted input (CVE-2009-1956).
 
 Packages for 2008.0 are being provided due to extended support for
 Corporate products.
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 d55d5dd456de0c7977f93bff217406d7 
 2008.0/i586/apr-util-dbd-mysql-1.2.10-1.1mdv2008.0.i586.rpm
 bd02eb2233dcc07aadd7e5eb84df9ce8 
 2008.0/i586/apr-util-dbd-pgsql-1.2.10-1.1mdv2008.0.i586.rpm
 334e127fb8ac03379c8a5f2ee7c144b6 
 2008.0/i586/apr-util-dbd-sqlite3-1.2.10-1.1mdv2008.0.i586.rpm
 4307983fb3d21ab0f9955711e116f92e 
 2008.0/i586/libapr1-1.2.11-1.1mdv2008.0.i586.rpm
 ff24f1e1587f2210346ea134d4a2053e 
 2008.0/i586/libapr-devel-1.2.11-1.1mdv2008.0.i586.rpm
 3d50a85109e011ced9e36f1565e9bc69 
 2008.0/i586/libapr-util1-1.2.10-1.1mdv2008.0.i586.rpm
 b786e2329fc63d459b841bf001261543 
 2008.0/i586/libapr-util-devel-1.2.10-1.1mdv2008.0.i586.rpm 
 6ef7669ea3d0db3dbaed35f35ae2dbdc  2008.0/SRPMS/apr-1.2.11-1.1mdv2008.0.src.rpm
 1a923fc9c2f912ef339b942a59bff4e6 
 2008.0/SRPMS/apr-util-1.2.10-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 91588bbcf3940cd106b0fe458be6d4b9 
 2008.0/x86_64/apr-util-dbd-mysql-1.2.10-1.1mdv2008.0.x86_64.rpm
 b71d8b14cc536cf8a2448b353d2b4047 
 2008.0/x86_64/apr-util-dbd-pgsql-1.2.10-1.1mdv2008.0.x86_64.rpm
 10b889bb625dbae01711ed7e8e101744 
 2008.0/x86_64/apr-util-dbd-sqlite3-1.2.10-1.1mdv2008.0.x86_64.rpm
 068334fc392c68f9b29e629dd3776f83 
 2008.0/x86_64/lib64apr1-1.2.11-1.1mdv2008.0.x86_64.rpm
 a9ed011d8b421e8604e66a87a4972477 
 2008.0/x86_64/lib64apr-devel-1.2.11-1.1mdv2008.0.x86_64.rpm
 c08da53c4c88464249f46c6577f3c2a8 
 2008.0/x86_64/lib64apr-util1-1.2.10-1.1mdv2008.0.x86_64.rpm
 4b1b86a3e07f4b87a1a53f0dbaaa3aff 
 2008.0/x86_64/lib64apr-util-devel-1.2.10-1.1mdv2008.0.x86_64.rpm 
 6ef7669ea3d0db3dbaed35f35ae2dbdc  2008.0/SRPMS/apr-1.2.11-1.1mdv2008.0.src.rpm
 1a923fc9c2f912ef339b942a59bff4e6 
 2008.0/SRPMS/apr-util-1.2.10-1.1mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLGEWRmqjQ0CJFipgRAsWiAJ9LbNZNAkUIxWbq84aERpTacFEJPACg0xgy
wuYdtSQeV/bOOP7w17qo2V0=
=V8dA
-----END PGP SIGNATURE-----


------------=_1259893113-24326-1591
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva? 
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1259893113-24326-1591--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung