lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MZ8gz-0000Hb-CT@titan.mandriva.com>
Date: Thu, 06 Aug 2009 21:32:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:195-1 ] apr


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2009:195-1
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : apr
 Date    : August 6, 2009
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been identified and corrected in apr and apr-util:
 
 Multiple integer overflows in the Apache Portable Runtime (APR)
 library and the Apache Portable Utility library (aka APR-util)
 0.9.x and 1.3.x allow remote attackers to cause a denial of service
 (application crash) or possibly execute arbitrary code via vectors that
 trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc
 function in memory/unix/apr_pools.c in APR; or crafted calls to
 the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc
 function in misc/apr_rmm.c in APR-util; leading to buffer overflows.
 NOTE: some of these details are obtained from third party information
 (CVE-2009-2412).
 
 This update provides fixes for these vulnerabilities.

 Update:

 apr-util packages were missing for Mandriva Enterprise Server 5 i586,
 this has been adressed with this update.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 19ed152f311aaa740e498d204e611c87  mes5/i586/apr-util-dbd-freetds-1.3.4-2.3mdvmes5.i586.rpm
 1da16e622bc2aa6fac28b0a9a7c36b39  mes5/i586/apr-util-dbd-ldap-1.3.4-2.3mdvmes5.i586.rpm
 e9e56ac0cbd4316b1687c3e5bf66d3d3  mes5/i586/apr-util-dbd-mysql-1.3.4-2.3mdvmes5.i586.rpm
 fbfaeb1772eb0b22de4b4562f5601c50  mes5/i586/apr-util-dbd-odbc-1.3.4-2.3mdvmes5.i586.rpm
 6da57cdbe02238048ea6dc115a1ae744  mes5/i586/apr-util-dbd-pgsql-1.3.4-2.3mdvmes5.i586.rpm
 34beee246bc1206229975aba75776aa2  mes5/i586/apr-util-dbd-sqlite3-1.3.4-2.3mdvmes5.i586.rpm
 445b930503e3e8f15b220681e67c74b4  mes5/i586/libapr-util1-1.3.4-2.3mdvmes5.i586.rpm
 b53ec99a1242f3d0e31e4267090d4d69  mes5/i586/libapr-util-devel-1.3.4-2.3mdvmes5.i586.rpm 
 ddd3ba83c0f4f0a73954d1ca8b6926c4  mes5/SRPMS/apr-util-1.3.4-2.3mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 02e1b437a1451b205d726a804ecba70a  mes5/x86_64/apr-util-dbd-freetds-1.3.4-2.3mdvmes5.x86_64.rpm
 daa72432fd3545df890a2aa2ebeacc4e  mes5/x86_64/apr-util-dbd-ldap-1.3.4-2.3mdvmes5.x86_64.rpm
 5c6b4a74cf6df907a88d1474708ba96c  mes5/x86_64/apr-util-dbd-mysql-1.3.4-2.3mdvmes5.x86_64.rpm
 8cabe517448ab264870e9b786f58db88  mes5/x86_64/apr-util-dbd-odbc-1.3.4-2.3mdvmes5.x86_64.rpm
 4f49787251d7fac85d39535c82389a6a  mes5/x86_64/apr-util-dbd-pgsql-1.3.4-2.3mdvmes5.x86_64.rpm
 43c974a3636fd725d100332fd0b4f204  mes5/x86_64/apr-util-dbd-sqlite3-1.3.4-2.3mdvmes5.x86_64.rpm
 9f0a37e6b63384f216033c6f35975c09  mes5/x86_64/lib64apr-util1-1.3.4-2.3mdvmes5.x86_64.rpm
 99d7a7418d4250764773f6cbcc0ebd6c  mes5/x86_64/lib64apr-util-devel-1.3.4-2.3mdvmes5.x86_64.rpm 
 ddd3ba83c0f4f0a73954d1ca8b6926c4  mes5/SRPMS/apr-util-1.3.4-2.3mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKewWNmqjQ0CJFipgRAl3dAKCBpW6Ccamts0gKMNkDopc+x+QCZACfZ+Ep
WrkXUeLyvhHymK2bJ8xLrXU=
=4/ly
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ