lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MD4Ls-0005vk-Jl@titan.mandriva.com>
Date: Sun, 07 Jun 2009 00:27:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2009:131 ] apr-util


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:131
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : apr-util
 Date    : June 6, 2009
 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Multiple security vulnerabilities has been identified and fixed
 in apr-util:
 
 The apr_strmatch_precompile function in strmatch/apr_strmatch.c in
 Apache APR-util before 1.3.5 allows remote attackers to cause a denial
 of service (daemon crash) via crafted input involving (1) a .htaccess
 file used with the Apache HTTP Server, (2) the SVNMasterURI directive
 in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2
 module for the Apache HTTP Server, or (4) an application that uses
 the libapreq2 library, related to an underflow flaw. (CVE-2009-0023).
 
 The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
 Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
 modules in the Apache HTTP Server, allows remote attackers to
 cause a denial of service (memory consumption) via a crafted XML
 document containing a large number of nested entity references, as
 demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
 (CVE-2009-1955).
 
 Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
 before 1.3.5 on big-endian platforms allows remote attackers to obtain
 sensitive information or cause a denial of service (application crash)
 via crafted input (CVE-2009-1956).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 92f1f45dfb84661bd03bf51bee6897d9  2008.1/i586/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.i586.rpm
 caef9a32c67002abedab6b0ac17b1967  2008.1/i586/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.i586.rpm
 8801ecf1cdfdc5dfa78c30bdad3cd060  2008.1/i586/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.i586.rpm
 9d66380821421ad635227dc5476318b0  2008.1/i586/libapr-util1-1.2.12-4.1mdv2008.1.i586.rpm
 1e5ddcfcc0ad295b60973b5d52d011b3  2008.1/i586/libapr-util-devel-1.2.12-4.1mdv2008.1.i586.rpm 
 e08259c07ac94bc85845f3734be8db34  2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 d56edd77f88f36b09f83b713c9d8ffa2  2008.1/x86_64/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.x86_64.rpm
 0d92993cb208bb096a8ea368f54fe11f  2008.1/x86_64/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.x86_64.rpm
 1dc136b490ff75420d7c574ef8c3171b  2008.1/x86_64/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.x86_64.rpm
 f45811447bb16f318e801358dd204ed3  2008.1/x86_64/lib64apr-util1-1.2.12-4.1mdv2008.1.x86_64.rpm
 dc610ef400bafbcb7661a211c14b5391  2008.1/x86_64/lib64apr-util-devel-1.2.12-4.1mdv2008.1.x86_64.rpm 
 e08259c07ac94bc85845f3734be8db34  2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 9176400dae2afb4b5b3610d2f210cc59  2009.0/i586/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.i586.rpm
 a7bf775d9602e8334e1cd741b3629968  2009.0/i586/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.i586.rpm
 3c7258acac4168f81a0c885e30bf1aba  2009.0/i586/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.i586.rpm
 7addb0ca1d17c3c13d82546ba37fe88a  2009.0/i586/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.i586.rpm
 557370eb6a25ce86b8c2b7fa09d7c272  2009.0/i586/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.i586.rpm
 32ede22cfdb2ea0e4d493a0a266f8080  2009.0/i586/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.i586.rpm
 7caa67204bbfedd4d02957e5b01d536b  2009.0/i586/libapr-util1-1.3.4-2.1mdv2009.0.i586.rpm
 73b73db72a446ef172144f87e42efab5  2009.0/i586/libapr-util-devel-1.3.4-2.1mdv2009.0.i586.rpm 
 b26a710b3ab76a3455c379b7fb445dcd  2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 1518e4d5cc1ed90ede935be0526f45c7  2009.0/x86_64/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.x86_64.rpm
 438292564ad5f4816b611b30d5801133  2009.0/x86_64/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.x86_64.rpm
 1b9f81750a5e10163d8e1ef66824a9fd  2009.0/x86_64/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.x86_64.rpm
 5c66b915d362e2f76af8826cda7ad4f1  2009.0/x86_64/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.x86_64.rpm
 b2a87f1ad69286bb6a85cc5684e0a923  2009.0/x86_64/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.x86_64.rpm
 a83f43dbc1e469d35790aa1a416bc532  2009.0/x86_64/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.x86_64.rpm
 07799e945a1f9d8a87c1d3571b294566  2009.0/x86_64/lib64apr-util1-1.3.4-2.1mdv2009.0.x86_64.rpm
 00a029d2d94c2c148b42a577fb050230  2009.0/x86_64/lib64apr-util-devel-1.3.4-2.1mdv2009.0.x86_64.rpm 
 b26a710b3ab76a3455c379b7fb445dcd  2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 5dddb4e8f882abeafe169068155b39e5  2009.1/i586/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.i586.rpm
 ec7826f62f8532cc9d9f0ec4493c27a8  2009.1/i586/apr-util-dbd-ldap-1.3.4-9.1mdv2009.1.i586.rpm
 a2d652ea15ad9d6fdb20c0c4597b5e92  2009.1/i586/apr-util-dbd-mysql-1.3.4-9.1mdv2009.1.i586.rpm
 04edc5f79d1f1fb944f124be02f5f4f4  2009.1/i586/apr-util-dbd-odbc-1.3.4-9.1mdv2009.1.i586.rpm
 5d442d45fd174ede671616de3633c3d1  2009.1/i586/apr-util-dbd-pgsql-1.3.4-9.1mdv2009.1.i586.rpm
 d8c39ce871315657d14cd667b86b0a1f  2009.1/i586/apr-util-dbd-sqlite3-1.3.4-9.1mdv2009.1.i586.rpm
 53ff86d912ddd8f03f2cc7008e6b3efe  2009.1/i586/libapr-util1-1.3.4-9.1mdv2009.1.i586.rpm
 4e48b8ec5cfd96049995be6b35620777  2009.1/i586/libapr-util-devel-1.3.4-9.1mdv2009.1.i586.rpm 
 5f540f08104dd6b9308fb8a250265934  2009.1/SRPMS/apr-util-1.3.4-9.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 2a2b2b3ad850b47a0e46e3887b2444bb  2009.1/x86_64/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.x86_64.rpm
 20da927348792593bc861c87c179731c  2009.1/x86_64/apr-util-dbd-ldap-1.3.4-9.1mdv2009.1.x86_64.rpm
 0abf7046538fcdacef067f84313fbbc5  2009.1/x86_64/apr-util-dbd-mysql-1.3.4-9.1mdv2009.1.x86_64.rpm
 0292409a75181175cde3f1a012ecb2af  2009.1/x86_64/apr-util-dbd-odbc-1.3.4-9.1mdv2009.1.x86_64.rpm
 a4045886cba9ffc7a26b6aaf9576a4ba  2009.1/x86_64/apr-util-dbd-pgsql-1.3.4-9.1mdv2009.1.x86_64.rpm
 8010ff96d9520f1785b4afc08f04ad5b  2009.1/x86_64/apr-util-dbd-sqlite3-1.3.4-9.1mdv2009.1.x86_64.rpm
 e715d3c003d71105ff333b4ea1a22437  2009.1/x86_64/lib64apr-util1-1.3.4-9.1mdv2009.1.x86_64.rpm
 b187dd640492b20701e9689036c23ff9  2009.1/x86_64/lib64apr-util-devel-1.3.4-9.1mdv2009.1.x86_64.rpm 
 5f540f08104dd6b9308fb8a250265934  2009.1/SRPMS/apr-util-1.3.4-9.1mdv2009.1.src.rpm

 Corporate 4.0:
 6de99d9180e53e38ee113673a5d3e689  corporate/4.0/i586/apr-util-dbd-mysql-1.2.7-6.1.20060mlcs4.i586.rpm
 3eaf3a6c3f9e31774c8f25db25dca5be  corporate/4.0/i586/apr-util-dbd-pgsql-1.2.7-6.1.20060mlcs4.i586.rpm
 afe8fec9e8fa17db894eb98f2e35ffd7  corporate/4.0/i586/apr-util-dbd-sqlite3-1.2.7-6.1.20060mlcs4.i586.rpm
 62d0ff16e5b1e8ed25d510c660bea31a  corporate/4.0/i586/libapr-util1-1.2.7-6.1.20060mlcs4.i586.rpm
 637f00f1637a352131786816bb1a83ee  corporate/4.0/i586/libapr-util1-devel-1.2.7-6.1.20060mlcs4.i586.rpm 
 4e8d1d2aef2789c69b1cc4b146e13df0  corporate/4.0/SRPMS/apr-util-1.2.7-6.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 d5158329088f973b19537ec3ce81ca15  corporate/4.0/x86_64/apr-util-dbd-mysql-1.2.7-6.1.20060mlcs4.x86_64.rpm
 f3ca6e7dbf32fc8984091a231a783062  corporate/4.0/x86_64/apr-util-dbd-pgsql-1.2.7-6.1.20060mlcs4.x86_64.rpm
 20cbdcfc13ed4dd3c7a96d332598aa9d  corporate/4.0/x86_64/apr-util-dbd-sqlite3-1.2.7-6.1.20060mlcs4.x86_64.rpm
 7680ac2c17b071b8bb7d7df7aa819587  corporate/4.0/x86_64/lib64apr-util1-1.2.7-6.1.20060mlcs4.x86_64.rpm
 b78edda70db885ac7c910be07d1ab335  corporate/4.0/x86_64/lib64apr-util1-devel-1.2.7-6.1.20060mlcs4.x86_64.rpm 
 4e8d1d2aef2789c69b1cc4b146e13df0  corporate/4.0/SRPMS/apr-util-1.2.7-6.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKKsBgmqjQ0CJFipgRAryqAJ43uOjXmQp4I1cr16CXJMLnyNFKfQCffu5h
qObBjyzCi7PWfx6IM1WMldQ=
=2E5N
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ