lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1QKtnZ-00034Y-0x@titan.mandriva.com>
Date: Fri, 13 May 2011 16:57:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2011:084 ] apr

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:084
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : apr
 Date    : May 13, 2011
 Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 It was discovered that the apr_fnmatch() function used an unconstrained
 recursion when processing patterns with the &#039;*&#039; wildcard. An attacker
 could use this flaw to cause an application using this function,
 which also accepted untrusted input as a pattern for matching (such
 as an httpd server using the mod_autoindex module), to exhaust all
 stack memory or use an excessive amount of CPU time when performing
 matching (CVE-2011-0419).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 be64584ff33e8b302b98371cc2250737  2009.0/i586/libapr1-1.3.3-2.2mdv2009.0.i586.rpm
 f7dc54c6193e0ca7f3a24606e9d7a418  2009.0/i586/libapr-devel-1.3.3-2.2mdv2009.0.i586.rpm 
 1b7160e3c2178a302c07a6e23d59c82d  2009.0/SRPMS/apr-1.3.3-2.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 8d7329923bb5e81dbca4ea1d355e2846  2009.0/x86_64/lib64apr1-1.3.3-2.2mdv2009.0.x86_64.rpm
 7838341b9612ac1ab78606a8c2143306  2009.0/x86_64/lib64apr-devel-1.3.3-2.2mdv2009.0.x86_64.rpm 
 1b7160e3c2178a302c07a6e23d59c82d  2009.0/SRPMS/apr-1.3.3-2.2mdv2009.0.src.rpm

 Mandriva Linux 2010.0:
 50d349a278f9fb9ddae7fe78b9c7cfb5  2010.0/i586/libapr1-1.3.9-1.1mdv2010.0.i586.rpm
 a2ab8bacb929689515885f8f6b55e20b  2010.0/i586/libapr-devel-1.3.9-1.1mdv2010.0.i586.rpm 
 09656854ddec250000ae8ec2a54db5ac  2010.0/SRPMS/apr-1.3.9-1.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 d1d1660e4427134fd94eb61c6bf50573  2010.0/x86_64/lib64apr1-1.3.9-1.1mdv2010.0.x86_64.rpm
 0c26aa24bf82e860353f5d279f1d7c3d  2010.0/x86_64/lib64apr-devel-1.3.9-1.1mdv2010.0.x86_64.rpm 
 09656854ddec250000ae8ec2a54db5ac  2010.0/SRPMS/apr-1.3.9-1.1mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 6bcbd128393e66f857a0237858b8296c  2010.1/i586/libapr1-1.4.2-1.1mdv2010.2.i586.rpm
 711375d83f3e8ba475f5e50e9cd72c58  2010.1/i586/libapr-devel-1.4.2-1.1mdv2010.2.i586.rpm 
 1e79b3cbed82fe6a72a5e363ee6de1ac  2010.1/SRPMS/apr-1.4.2-1.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 10e549216a50287a8b00ceabc989f582  2010.1/x86_64/lib64apr1-1.4.2-1.1mdv2010.2.x86_64.rpm
 dcb20d2f8c1698ad7da97d8cfad775bc  2010.1/x86_64/lib64apr-devel-1.4.2-1.1mdv2010.2.x86_64.rpm 
 1e79b3cbed82fe6a72a5e363ee6de1ac  2010.1/SRPMS/apr-1.4.2-1.1mdv2010.2.src.rpm

 Corporate 4.0:
 14e8e64d57936ac0d07614bd67446f03  corporate/4.0/i586/libapr1-1.2.7-1.2.20060mlcs4.i586.rpm
 ce54af727421b84a6b44e1e93c026d2e  corporate/4.0/i586/libapr1-devel-1.2.7-1.2.20060mlcs4.i586.rpm 
 b32595e78258a491a42ca109d6bceba2  corporate/4.0/SRPMS/apr-1.2.7-1.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 8d384c32df7462ea43898d5747a8896e  corporate/4.0/x86_64/lib64apr1-1.2.7-1.2.20060mlcs4.x86_64.rpm
 ceb813bb8fbcd8047c4bb8938bdef32b  corporate/4.0/x86_64/lib64apr1-devel-1.2.7-1.2.20060mlcs4.x86_64.rpm 
 b32595e78258a491a42ca109d6bceba2  corporate/4.0/SRPMS/apr-1.2.7-1.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 7e3ca3eb765d21b1366f55c9b9b56027  mes5/i586/libapr1-1.3.3-2.2mdvmes5.2.i586.rpm
 fbf9421168cb26090b5ff021a2bb823a  mes5/i586/libapr-devel-1.3.3-2.2mdvmes5.2.i586.rpm 
 f7afcb8a3dd0ecca2998a32df747afc9  mes5/SRPMS/apr-1.3.3-2.2mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 418475e740da85914275f648045dbacb  mes5/x86_64/lib64apr1-1.3.3-2.2mdvmes5.2.x86_64.rpm
 bc4a3e5372735992d633f5933b540891  mes5/x86_64/lib64apr-devel-1.3.3-2.2mdvmes5.2.x86_64.rpm 
 f7afcb8a3dd0ecca2998a32df747afc9  mes5/SRPMS/apr-1.3.3-2.2mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNzRTYmqjQ0CJFipgRArnuAKC5bjB2514IeZ28goZnvrQX3nI9HwCfS7M7
45Ow0utD+phZX5PXfEeE+20=
=Y0XA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ