To: [email protected]Subject: [ MDVSA-2009:195-1 ] apr
Date: Thu, 06 Aug 2009 21:32:01 +0200
From: [email protected]
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1MZ8gz-0000HX-AR@titan.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:195-1
http://www.mandriva.com/security/
_______________________________________________________________________
Package : apr
Date : August 6, 2009
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been identified and corrected in apr and apr-util:
Multiple integer overflows in the Apache Portable Runtime (APR)
library and the Apache Portable Utility library (aka APR-util)
0.9.x and 1.3.x allow remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via vectors that
trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc
function in memory/unix/apr_pools.c in APR; or crafted calls to
the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc
function in misc/apr_rmm.c in APR-util; leading to buffer overflows.
NOTE: some of these details are obtained from third party information
(CVE-2009-2412).
This update provides fixes for these vulnerabilities.
Update:
apr-util packages were missing for Mandriva Enterprise Server 5 i586,
this has been adressed with this update.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
19ed152f311aaa740e498d204e611c87 mes5/i586/apr-util-dbd-freetds-1.3.4-2.3mdvmes5.i586.rpm
1da16e622bc2aa6fac28b0a9a7c36b39 mes5/i586/apr-util-dbd-ldap-1.3.4-2.3mdvmes5.i586.rpm
e9e56ac0cbd4316b1687c3e5bf66d3d3 mes5/i586/apr-util-dbd-mysql-1.3.4-2.3mdvmes5.i586.rpm
fbfaeb1772eb0b22de4b4562f5601c50 mes5/i586/apr-util-dbd-odbc-1.3.4-2.3mdvmes5.i586.rpm
6da57cdbe02238048ea6dc115a1ae744 mes5/i586/apr-util-dbd-pgsql-1.3.4-2.3mdvmes5.i586.rpm
34beee246bc1206229975aba75776aa2 mes5/i586/apr-util-dbd-sqlite3-1.3.4-2.3mdvmes5.i586.rpm
445b930503e3e8f15b220681e67c74b4 mes5/i586/libapr-util1-1.3.4-2.3mdvmes5.i586.rpm
b53ec99a1242f3d0e31e4267090d4d69 mes5/i586/libapr-util-devel-1.3.4-2.3mdvmes5.i586.rpm
ddd3ba83c0f4f0a73954d1ca8b6926c4 mes5/SRPMS/apr-util-1.3.4-2.3mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
02e1b437a1451b205d726a804ecba70a mes5/x86_64/apr-util-dbd-freetds-1.3.4-2.3mdvmes5.x86_64.rpm
daa72432fd3545df890a2aa2ebeacc4e mes5/x86_64/apr-util-dbd-ldap-1.3.4-2.3mdvmes5.x86_64.rpm
5c6b4a74cf6df907a88d1474708ba96c mes5/x86_64/apr-util-dbd-mysql-1.3.4-2.3mdvmes5.x86_64.rpm
8cabe517448ab264870e9b786f58db88 mes5/x86_64/apr-util-dbd-odbc-1.3.4-2.3mdvmes5.x86_64.rpm
4f49787251d7fac85d39535c82389a6a mes5/x86_64/apr-util-dbd-pgsql-1.3.4-2.3mdvmes5.x86_64.rpm
43c974a3636fd725d100332fd0b4f204 mes5/x86_64/apr-util-dbd-sqlite3-1.3.4-2.3mdvmes5.x86_64.rpm
9f0a37e6b63384f216033c6f35975c09 mes5/x86_64/lib64apr-util1-1.3.4-2.3mdvmes5.x86_64.rpm
99d7a7418d4250764773f6cbcc0ebd6c mes5/x86_64/lib64apr-util-devel-1.3.4-2.3mdvmes5.x86_64.rpm
ddd3ba83c0f4f0a73954d1ca8b6926c4 mes5/SRPMS/apr-util-1.3.4-2.3mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKewWNmqjQ0CJFipgRAl3dAKCBpW6Ccamts0gKMNkDopc+x+QCZACfZ+Ep
WrkXUeLyvhHymK2bJ8xLrXU=
=4/ly
-----END PGP SIGNATURE-----