lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090610201245.GA12328@severus.strandboge.com>
Date: Wed, 10 Jun 2009 15:12:45 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-786-1] apr-util vulnerabilities

===========================================================
Ubuntu Security Notice USN-786-1              June 10, 2009
apr-util vulnerabilities
CVE-2009-0023, CVE-2009-1955, CVE-2009-1956
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  libaprutil1                     1.2.12+dfsg-3ubuntu0.1

Ubuntu 8.10:
  libaprutil1                     1.2.12+dfsg-7ubuntu0.1

Ubuntu 9.04:
  libaprutil1                     1.2.12+dfsg-8ubuntu0.1

After a standard system upgrade you need to restart any services that use
apr-util, such as Apache or svnserve, to effect the necessary changes.

Details follow:

Matthew Palmer discovered an underflow flaw in apr-util. An attacker could
cause a denial of service via application crash in Apache using a crafted
SVNMasterURI directive, .htaccess file, or when using mod_apreq2.
Applications using libapreq2 are also affected. (CVE-2009-0023)

It was discovered that the XML parser did not properly handle entity
expansion. A remote attacker could cause a denial of service via memory
resource consumption by sending a crafted request to an Apache server
configured to use mod_dav or mod_dav_svn. (CVE-2009-1955)

C. Michael Pilato discovered an off-by-one buffer overflow in apr-util when
formatting certain strings. For big-endian machines (powerpc, hppa and
sparc in Ubuntu), a remote attacker could cause a denial of service or
information disclosure leak. All other architectures for Ubuntu are
not considered to be at risk. (CVE-2009-1956)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-3ubuntu0.1.diff.gz
      Size/MD5:    24574 b2420f470b89f1615f057ab0d7a8fb1b
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-3ubuntu0.1.dsc
      Size/MD5:     1324 3d8d31431281ace5a474c086b81ca68d
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
      Size/MD5:   658687 4ef3e41037fe0cdd3a0d107335a008eb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_amd64.deb
      Size/MD5:   133066 7b3c573fcd12d1d298a72836e30c7871
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_amd64.deb
      Size/MD5:   129888 997d790d176112338827b7ec69b2b875
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_amd64.deb
      Size/MD5:    75868 fb5b2593ec7f988da308d5bc49262792

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_i386.deb
      Size/MD5:   126324 c5e0c3e481955d77d6dcb6b6e0062faf
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_i386.deb
      Size/MD5:   119408 3e6ac00f8f52fe380dce9f229d44e1e4
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_i386.deb
      Size/MD5:    70352 ce4883670593cd7101bb512b75f511ab

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_lpia.deb
      Size/MD5:   128056 da36f9545e11be1121f988e6ed9b927b
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_lpia.deb
      Size/MD5:   119064 249b96b4bd8bfac97a613cd9bde37e7f
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_lpia.deb
      Size/MD5:    69540 3df182c1e62ba76c7d530da9de4e91f8

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_powerpc.deb
      Size/MD5:   133836 0f893ec4252c3dd37be0a1fa1dc34bde
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_powerpc.deb
      Size/MD5:   130282 0d4c0efa6ec794122aff6b7ee2f2814e
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_powerpc.deb
      Size/MD5:    80120 da8d5adb86e4a0cbf17dd9beec0eb702

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_sparc.deb
      Size/MD5:   120154 80d4bd5baf2481590d2027564cbe01b6
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_sparc.deb
      Size/MD5:   124164 30a88899ff268cd92b320fcad4537cc5
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_sparc.deb
      Size/MD5:    71116 abe3f0348d5243b121b1d5ec057afc59

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-7ubuntu0.1.diff.gz
      Size/MD5:    25591 0b7395302ddb00bea5a5e08e5c853b9b
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-7ubuntu0.1.dsc
      Size/MD5:     1632 f7ec40dbe488612dfaa923d4fdcce0cc
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
      Size/MD5:   658687 4ef3e41037fe0cdd3a0d107335a008eb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_amd64.deb
      Size/MD5:   150754 c62d95de736540118e79d55a19cbfe88
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_amd64.deb
      Size/MD5:   136314 ba94c537013ce62bf156f611daf871be
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_amd64.deb
      Size/MD5:    82382 d048ffe3b1c1957ceaa0e078465bec83

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_i386.deb
      Size/MD5:   144020 590a52c97853ed46cbb0ba59cf17675c
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_i386.deb
      Size/MD5:   124820 c8be5124f0e16940e3e23f24af228af8
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_i386.deb
      Size/MD5:    75830 d45ad82f9d0f20fb55b0f7d35128661a

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_lpia.deb
      Size/MD5:   145348 c88756b31e3bf6b36912088c35e3a713
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_lpia.deb
      Size/MD5:   124594 d5dfdcd3f7aa11f939714028e94dc6ed
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_lpia.deb
      Size/MD5:    75150 ce8f9914f29d4742ec3a4f99b3c59393

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_powerpc.deb
      Size/MD5:   150190 bd1adf49cd11f9f18ce6b9ec093aca93
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_powerpc.deb
      Size/MD5:   135892 9e3ed838d846fac285427123af1930f3
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_powerpc.deb
      Size/MD5:    84846 135994ac372c8c6614d418351ddc9fd5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_sparc.deb
      Size/MD5:   135354 3aad2512d439e310004e9e47b14319cd
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_sparc.deb
      Size/MD5:   128358 0ce0c3418e47b4dfd55be998ba082d88
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_sparc.deb
      Size/MD5:    75364 0b0634bcc540b68444fdf1f2ecfde92b

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-8ubuntu0.1.diff.gz
      Size/MD5:    22846 206a190e418ef32ac80cb21976c0c535
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-8ubuntu0.1.dsc
      Size/MD5:     1630 42152b61158055a6b248bafa3d3ccb65
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
      Size/MD5:   658687 4ef3e41037fe0cdd3a0d107335a008eb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_amd64.deb
      Size/MD5:   147306 918e2ade399f448b01883ea45fccbc52
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_amd64.deb
      Size/MD5:   132960 5ea0a03316d69002c76510b9ebba4bef
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_amd64.deb
      Size/MD5:    78924 2e42e78880ad1b0fd689b6b304a8be28

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_i386.deb
      Size/MD5:   140514 2bc7d4bc488b864fce998161118e952a
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_i386.deb
      Size/MD5:   121226 7299c4f38d94e46cbb1014fe2b7650fc
    http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_i386.deb
      Size/MD5:    72416 1102da0f14f8c08d5279861ba69f4b18

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_lpia.deb
      Size/MD5:   141702 4e7eb2cad127657ea22ff81d03aac32e
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_lpia.deb
      Size/MD5:   120970 4999f99cdce03e3f9693bb678edc65b6
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_lpia.deb
      Size/MD5:    71822 9abb9a40c00e626718ee86a981608c5a

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_powerpc.deb
      Size/MD5:   146566 1f745e1d18b2c10c0318629ac6ee6d67
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_powerpc.deb
      Size/MD5:   132458 c5c91538a415db18d285076e6e8fc7ff
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_powerpc.deb
      Size/MD5:    81408 75bfc684ae3a41319b94b5f3ed808914

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_sparc.deb
      Size/MD5:   131386 50dfb432a206f070517394d1b1403bab
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_sparc.deb
      Size/MD5:   124770 aea3ccb26d29a0cd3cc59b52a96c01db
    http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_sparc.deb
      Size/MD5:    71726 c1a1dacde51cd734af53a48f2214f2ca



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ