To: [email protected]Subject: [ MDVSA-2009:131 ] apr-util
Date: Sun, 07 Jun 2009 00:27:00 +0200
From: [email protected]
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1MD4Ls-0005vk-Jl@titan.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:131
http://www.mandriva.com/security/
_______________________________________________________________________
Package : apr-util
Date : June 6, 2009
Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0
_______________________________________________________________________
Problem Description:
Multiple security vulnerabilities has been identified and fixed
in apr-util:
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in
Apache APR-util before 1.3.5 allows remote attackers to cause a denial
of service (daemon crash) via crafted input involving (1) a .htaccess
file used with the Apache HTTP Server, (2) the SVNMasterURI directive
in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2
module for the Apache HTTP Server, or (4) an application that uses
the libapreq2 library, related to an underflow flaw. (CVE-2009-0023).
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to
cause a denial of service (memory consumption) via a crafted XML
document containing a large number of nested entity references, as
demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
(CVE-2009-1955).
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
before 1.3.5 on big-endian platforms allows remote attackers to obtain
sensitive information or cause a denial of service (application crash)
via crafted input (CVE-2009-1956).
The updated packages have been patched to prevent this.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
92f1f45dfb84661bd03bf51bee6897d9 2008.1/i586/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.i586.rpm
caef9a32c67002abedab6b0ac17b1967 2008.1/i586/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.i586.rpm
8801ecf1cdfdc5dfa78c30bdad3cd060 2008.1/i586/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.i586.rpm
9d66380821421ad635227dc5476318b0 2008.1/i586/libapr-util1-1.2.12-4.1mdv2008.1.i586.rpm
1e5ddcfcc0ad295b60973b5d52d011b3 2008.1/i586/libapr-util-devel-1.2.12-4.1mdv2008.1.i586.rpm
e08259c07ac94bc85845f3734be8db34 2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
d56edd77f88f36b09f83b713c9d8ffa2 2008.1/x86_64/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.x86_64.rpm
0d92993cb208bb096a8ea368f54fe11f 2008.1/x86_64/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.x86_64.rpm
1dc136b490ff75420d7c574ef8c3171b 2008.1/x86_64/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.x86_64.rpm
f45811447bb16f318e801358dd204ed3 2008.1/x86_64/lib64apr-util1-1.2.12-4.1mdv2008.1.x86_64.rpm
dc610ef400bafbcb7661a211c14b5391 2008.1/x86_64/lib64apr-util-devel-1.2.12-4.1mdv2008.1.x86_64.rpm
e08259c07ac94bc85845f3734be8db34 2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
9176400dae2afb4b5b3610d2f210cc59 2009.0/i586/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.i586.rpm
a7bf775d9602e8334e1cd741b3629968 2009.0/i586/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.i586.rpm
3c7258acac4168f81a0c885e30bf1aba 2009.0/i586/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.i586.rpm
7addb0ca1d17c3c13d82546ba37fe88a 2009.0/i586/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.i586.rpm
557370eb6a25ce86b8c2b7fa09d7c272 2009.0/i586/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.i586.rpm
32ede22cfdb2ea0e4d493a0a266f8080 2009.0/i586/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.i586.rpm
7caa67204bbfedd4d02957e5b01d536b 2009.0/i586/libapr-util1-1.3.4-2.1mdv2009.0.i586.rpm
73b73db72a446ef172144f87e42efab5 2009.0/i586/libapr-util-devel-1.3.4-2.1mdv2009.0.i586.rpm
b26a710b3ab76a3455c379b7fb445dcd 2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
1518e4d5cc1ed90ede935be0526f45c7 2009.0/x86_64/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.x86_64.rpm
438292564ad5f4816b611b30d5801133 2009.0/x86_64/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.x86_64.rpm
1b9f81750a5e10163d8e1ef66824a9fd 2009.0/x86_64/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.x86_64.rpm
5c66b915d362e2f76af8826cda7ad4f1 2009.0/x86_64/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.x86_64.rpm
b2a87f1ad69286bb6a85cc5684e0a923 2009.0/x86_64/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.x86_64.rpm
a83f43dbc1e469d35790aa1a416bc532 2009.0/x86_64/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.x86_64.rpm
07799e945a1f9d8a87c1d3571b294566 2009.0/x86_64/lib64apr-util1-1.3.4-2.1mdv2009.0.x86_64.rpm
00a029d2d94c2c148b42a577fb050230 2009.0/x86_64/lib64apr-util-devel-1.3.4-2.1mdv2009.0.x86_64.rpm
b26a710b3ab76a3455c379b7fb445dcd 2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
5dddb4e8f882abeafe169068155b39e5 2009.1/i586/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.i586.rpm
ec7826f62f8532cc9d9f0ec4493c27a8 2009.1/i586/apr-util-dbd-ldap-1.3.4-9.1mdv2009.1.i586.rpm
a2d652ea15ad9d6fdb20c0c4597b5e92 2009.1/i586/apr-util-dbd-mysql-1.3.4-9.1mdv2009.1.i586.rpm
04edc5f79d1f1fb944f124be02f5f4f4 2009.1/i586/apr-util-dbd-odbc-1.3.4-9.1mdv2009.1.i586.rpm
5d442d45fd174ede671616de3633c3d1 2009.1/i586/apr-util-dbd-pgsql-1.3.4-9.1mdv2009.1.i586.rpm
d8c39ce871315657d14cd667b86b0a1f 2009.1/i586/apr-util-dbd-sqlite3-1.3.4-9.1mdv2009.1.i586.rpm
53ff86d912ddd8f03f2cc7008e6b3efe 2009.1/i586/libapr-util1-1.3.4-9.1mdv2009.1.i586.rpm
4e48b8ec5cfd96049995be6b35620777 2009.1/i586/libapr-util-devel-1.3.4-9.1mdv2009.1.i586.rpm
5f540f08104dd6b9308fb8a250265934 2009.1/SRPMS/apr-util-1.3.4-9.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
2a2b2b3ad850b47a0e46e3887b2444bb 2009.1/x86_64/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.x86_64.rpm
20da927348792593bc861c87c179731c 2009.1/x86_64/apr-util-dbd-ldap-1.3.4-9.1mdv2009.1.x86_64.rpm
0abf7046538fcdacef067f84313fbbc5 2009.1/x86_64/apr-util-dbd-mysql-1.3.4-9.1mdv2009.1.x86_64.rpm
0292409a75181175cde3f1a012ecb2af 2009.1/x86_64/apr-util-dbd-odbc-1.3.4-9.1mdv2009.1.x86_64.rpm
a4045886cba9ffc7a26b6aaf9576a4ba 2009.1/x86_64/apr-util-dbd-pgsql-1.3.4-9.1mdv2009.1.x86_64.rpm
8010ff96d9520f1785b4afc08f04ad5b 2009.1/x86_64/apr-util-dbd-sqlite3-1.3.4-9.1mdv2009.1.x86_64.rpm
e715d3c003d71105ff333b4ea1a22437 2009.1/x86_64/lib64apr-util1-1.3.4-9.1mdv2009.1.x86_64.rpm
b187dd640492b20701e9689036c23ff9 2009.1/x86_64/lib64apr-util-devel-1.3.4-9.1mdv2009.1.x86_64.rpm
5f540f08104dd6b9308fb8a250265934 2009.1/SRPMS/apr-util-1.3.4-9.1mdv2009.1.src.rpm
Corporate 4.0:
6de99d9180e53e38ee113673a5d3e689 corporate/4.0/i586/apr-util-dbd-mysql-1.2.7-6.1.20060mlcs4.i586.rpm
3eaf3a6c3f9e31774c8f25db25dca5be corporate/4.0/i586/apr-util-dbd-pgsql-1.2.7-6.1.20060mlcs4.i586.rpm
afe8fec9e8fa17db894eb98f2e35ffd7 corporate/4.0/i586/apr-util-dbd-sqlite3-1.2.7-6.1.20060mlcs4.i586.rpm
62d0ff16e5b1e8ed25d510c660bea31a corporate/4.0/i586/libapr-util1-1.2.7-6.1.20060mlcs4.i586.rpm
637f00f1637a352131786816bb1a83ee corporate/4.0/i586/libapr-util1-devel-1.2.7-6.1.20060mlcs4.i586.rpm
4e8d1d2aef2789c69b1cc4b146e13df0 corporate/4.0/SRPMS/apr-util-1.2.7-6.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
d5158329088f973b19537ec3ce81ca15 corporate/4.0/x86_64/apr-util-dbd-mysql-1.2.7-6.1.20060mlcs4.x86_64.rpm
f3ca6e7dbf32fc8984091a231a783062 corporate/4.0/x86_64/apr-util-dbd-pgsql-1.2.7-6.1.20060mlcs4.x86_64.rpm
20cbdcfc13ed4dd3c7a96d332598aa9d corporate/4.0/x86_64/apr-util-dbd-sqlite3-1.2.7-6.1.20060mlcs4.x86_64.rpm
7680ac2c17b071b8bb7d7df7aa819587 corporate/4.0/x86_64/lib64apr-util1-1.2.7-6.1.20060mlcs4.x86_64.rpm
b78edda70db885ac7c910be07d1ab335 corporate/4.0/x86_64/lib64apr-util1-devel-1.2.7-6.1.20060mlcs4.x86_64.rpm
4e8d1d2aef2789c69b1cc4b146e13df0 corporate/4.0/SRPMS/apr-util-1.2.7-6.1.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKKsBgmqjQ0CJFipgRAryqAJ43uOjXmQp4I1cr16CXJMLnyNFKfQCffu5h
qObBjyzCi7PWfx6IM1WMldQ=
=2E5N
-----END PGP SIGNATURE-----