[USN-786-1] apr-util vulnerabilities
Date: Wed, 10 Jun 2009 15:12:45 -0500
From: Jamie Strandboge <jamie@canonical.com.>
To: [email protected]
Subject: [USN-786-1] apr-util vulnerabilities
Message-ID: <20090610201245.GA12328@severus.strandboge.com.>
Reply-To: Ubuntu Security <security@ubuntu.com.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Virus-Scanned: antivirus-gw at tyumen.ru
--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Ubuntu Security Notice USN-786-1 June 10, 2009
apr-util vulnerabilities
CVE-2009-0023, CVE-2009-1955, CVE-2009-1956
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
libaprutil1 1.2.12+dfsg-3ubuntu0.1
Ubuntu 8.10:
libaprutil1 1.2.12+dfsg-7ubuntu0.1
Ubuntu 9.04:
libaprutil1 1.2.12+dfsg-8ubuntu0.1
After a standard system upgrade you need to restart any services that use
apr-util, such as Apache or svnserve, to effect the necessary changes.
Details follow:
Matthew Palmer discovered an underflow flaw in apr-util. An attacker could
cause a denial of service via application crash in Apache using a crafted
SVNMasterURI directive, .htaccess file, or when using mod_apreq2.
Applications using libapreq2 are also affected. (CVE-2009-0023)
It was discovered that the XML parser did not properly handle entity
expansion. A remote attacker could cause a denial of service via memory
resource consumption by sending a crafted request to an Apache server
configured to use mod_dav or mod_dav_svn. (CVE-2009-1955)
C. Michael Pilato discovered an off-by-one buffer overflow in apr-util when
formatting certain strings. For big-endian machines (powerpc, hppa and
sparc in Ubuntu), a remote attacker could cause a denial of service or
information disclosure leak. All other architectures for Ubuntu are
not considered to be at risk. (CVE-2009-1956)
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-3ubuntu0.1.diff.gz
Size/MD5: 24574 b2420f470b89f1615f057ab0d7a8fb1b
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-3ubuntu0.1.dsc
Size/MD5: 1324 3d8d31431281ace5a474c086b81ca68d
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
Size/MD5: 658687 4ef3e41037fe0cdd3a0d107335a008eb
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_amd64.deb
Size/MD5: 133066 7b3c573fcd12d1d298a72836e30c7871
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_amd64.deb
Size/MD5: 129888 997d790d176112338827b7ec69b2b875
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_amd64.deb
Size/MD5: 75868 fb5b2593ec7f988da308d5bc49262792
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_i386.deb
Size/MD5: 126324 c5e0c3e481955d77d6dcb6b6e0062faf
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_i386.deb
Size/MD5: 119408 3e6ac00f8f52fe380dce9f229d44e1e4
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_i386.deb
Size/MD5: 70352 ce4883670593cd7101bb512b75f511ab
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_lpia.deb
Size/MD5: 128056 da36f9545e11be1121f988e6ed9b927b
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_lpia.deb
Size/MD5: 119064 249b96b4bd8bfac97a613cd9bde37e7f
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_lpia.deb
Size/MD5: 69540 3df182c1e62ba76c7d530da9de4e91f8
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_powerpc.deb
Size/MD5: 133836 0f893ec4252c3dd37be0a1fa1dc34bde
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_powerpc.deb
Size/MD5: 130282 0d4c0efa6ec794122aff6b7ee2f2814e
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_powerpc.deb
Size/MD5: 80120 da8d5adb86e4a0cbf17dd9beec0eb702
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_sparc.deb
Size/MD5: 120154 80d4bd5baf2481590d2027564cbe01b6
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_sparc.deb
Size/MD5: 124164 30a88899ff268cd92b320fcad4537cc5
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_sparc.deb
Size/MD5: 71116 abe3f0348d5243b121b1d5ec057afc59
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-7ubuntu0.1.diff.gz
Size/MD5: 25591 0b7395302ddb00bea5a5e08e5c853b9b
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-7ubuntu0.1.dsc
Size/MD5: 1632 f7ec40dbe488612dfaa923d4fdcce0cc
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
Size/MD5: 658687 4ef3e41037fe0cdd3a0d107335a008eb
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_amd64.deb
Size/MD5: 150754 c62d95de736540118e79d55a19cbfe88
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_amd64.deb
Size/MD5: 136314 ba94c537013ce62bf156f611daf871be
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_amd64.deb
Size/MD5: 82382 d048ffe3b1c1957ceaa0e078465bec83
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_i386.deb
Size/MD5: 144020 590a52c97853ed46cbb0ba59cf17675c
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_i386.deb
Size/MD5: 124820 c8be5124f0e16940e3e23f24af228af8
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_i386.deb
Size/MD5: 75830 d45ad82f9d0f20fb55b0f7d35128661a
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_lpia.deb
Size/MD5: 145348 c88756b31e3bf6b36912088c35e3a713
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_lpia.deb
Size/MD5: 124594 d5dfdcd3f7aa11f939714028e94dc6ed
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_lpia.deb
Size/MD5: 75150 ce8f9914f29d4742ec3a4f99b3c59393
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_powerpc.deb
Size/MD5: 150190 bd1adf49cd11f9f18ce6b9ec093aca93
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_powerpc.deb
Size/MD5: 135892 9e3ed838d846fac285427123af1930f3
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_powerpc.deb
Size/MD5: 84846 135994ac372c8c6614d418351ddc9fd5
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_sparc.deb
Size/MD5: 135354 3aad2512d439e310004e9e47b14319cd
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_sparc.deb
Size/MD5: 128358 0ce0c3418e47b4dfd55be998ba082d88
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_sparc.deb
Size/MD5: 75364 0b0634bcc540b68444fdf1f2ecfde92b
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-8ubuntu0.1.diff.gz
Size/MD5: 22846 206a190e418ef32ac80cb21976c0c535
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-8ubuntu0.1.dsc
Size/MD5: 1630 42152b61158055a6b248bafa3d3ccb65
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
Size/MD5: 658687 4ef3e41037fe0cdd3a0d107335a008eb
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_amd64.deb
Size/MD5: 147306 918e2ade399f448b01883ea45fccbc52
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_amd64.deb
Size/MD5: 132960 5ea0a03316d69002c76510b9ebba4bef
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_amd64.deb
Size/MD5: 78924 2e42e78880ad1b0fd689b6b304a8be28
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_i386.deb
Size/MD5: 140514 2bc7d4bc488b864fce998161118e952a
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_i386.deb
Size/MD5: 121226 7299c4f38d94e46cbb1014fe2b7650fc
http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_i386.deb
Size/MD5: 72416 1102da0f14f8c08d5279861ba69f4b18
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_lpia.deb
Size/MD5: 141702 4e7eb2cad127657ea22ff81d03aac32e
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_lpia.deb
Size/MD5: 120970 4999f99cdce03e3f9693bb678edc65b6
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_lpia.deb
Size/MD5: 71822 9abb9a40c00e626718ee86a981608c5a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_powerpc.deb
Size/MD5: 146566 1f745e1d18b2c10c0318629ac6ee6d67
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_powerpc.deb
Size/MD5: 132458 c5c91538a415db18d285076e6e8fc7ff
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_powerpc.deb
Size/MD5: 81408 75bfc684ae3a41319b94b5f3ed808914
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_sparc.deb
Size/MD5: 131386 50dfb432a206f070517394d1b1403bab
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_sparc.deb
Size/MD5: 124770 aea3ccb26d29a0cd3cc59b52a96c01db
http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_sparc.deb
Size/MD5: 71726 c1a1dacde51cd734af53a48f2214f2ca
--J2SCkAp4GZ/dPZZf
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkowE70ACgkQW0JvuRdL8BqyAgCfVunQDCChmvc5AO6ITEzL8OG6
MzEAoJOabnWSctnIp5gUJ11Whu5QIY7+
=Chm/
-----END PGP SIGNATURE-----
--J2SCkAp4GZ/dPZZf--