[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1P2sgo-0003de-AG@chopin.debian.org>
Date: Mon, 04 Oct 2010 21:35:18 +0000
From: Stefan Fritsch <sf@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA-2117-1] New apr-util packages fix
denial of service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-2117-1 security@...ian.org
http://www.debian.org/security/ Stefan Fritsch
October 4, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : apr-util
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-1623
APR-util is part of the Apache Portable Runtime library which is used
by projects such as Apache httpd and Subversion.
Jeff Trawick discovered a flaw in the apr_brigade_split_line() function
in apr-util. A remote attacker could send crafted http requests to
cause a greatly increased memory consumption in Apache httpd, resulting
in a denial of service.
This upgrade fixes this issue. After the upgrade, any running apache2
server processes need to be restarted.
For the stable distribution (lenny), this problem has been fixed in
version 1.2.12+dfsg-8+lenny5.
For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1.3.9+dfsg-4.
We recommend that you upgrade your apr-util packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
Size/MD5 checksum: 658687 4ef3e41037fe0cdd3a0d107335a008eb
http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny5.dsc
Size/MD5 checksum: 1531 3c280d9325eccb5b202f797dfe4b0fec
http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny5.diff.gz
Size/MD5 checksum: 23557 ccbe052945c3c7a7abb083a5780e63fa
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_alpha.deb
Size/MD5 checksum: 90912 f01833decf4c09cb19900ad830537656
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_alpha.deb
Size/MD5 checksum: 157332 c768e904368992a886bab995d06be691
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_alpha.deb
Size/MD5 checksum: 147422 1f0111e3b3d573c860d72fb7d8f0e8b5
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_amd64.deb
Size/MD5 checksum: 133214 02ecc9426d426a0b07fad57d8548a552
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_amd64.deb
Size/MD5 checksum: 80190 bc013109f72a0550ab75a3cbcea4c8e3
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_amd64.deb
Size/MD5 checksum: 148128 a9074ac6c50448c01a8b79a1b43fd71a
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_arm.deb
Size/MD5 checksum: 71238 0f14138790b33ed5312d1bd9c64b1f00
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_arm.deb
Size/MD5 checksum: 124300 360c36286adba8e4590d3d788edc861b
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_arm.deb
Size/MD5 checksum: 139246 1221f6cb3918a1b4fea98aac628f1eaa
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_armel.deb
Size/MD5 checksum: 125562 e438c52ef68ba41152adf433bc21d616
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_armel.deb
Size/MD5 checksum: 70018 364da2335ced6c3219f8e6ce206b66e3
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_armel.deb
Size/MD5 checksum: 139230 76e5e253b409ce658a5be6362344fff5
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_hppa.deb
Size/MD5 checksum: 83802 c410f61265b32634094ad350d0d4aeb5
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_hppa.deb
Size/MD5 checksum: 138764 b467ed9dc49f4379e6db88d45e4ef233
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_hppa.deb
Size/MD5 checksum: 143056 952388a55397fad1995bc02367571482
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_i386.deb
Size/MD5 checksum: 141614 edd53fa18ff076d2dff72b40a9651d14
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_i386.deb
Size/MD5 checksum: 73984 2aa25fcf6479e34bdce90f1b989dfa4f
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_i386.deb
Size/MD5 checksum: 121060 788336d970df93d381088228298e4f4d
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_ia64.deb
Size/MD5 checksum: 110820 789ad31d3dc20ebc5e7a3d1d791087c5
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_ia64.deb
Size/MD5 checksum: 136570 67db51e6841ba527c27cd8608f203760
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_ia64.deb
Size/MD5 checksum: 169058 def2319fc7c98c667ff63fab83ba848a
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_mips.deb
Size/MD5 checksum: 137656 65b830e995d0e1df9e5dd3ded8d70384
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_mips.deb
Size/MD5 checksum: 74498 dbae966eba410854729e65f1b923616f
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_mips.deb
Size/MD5 checksum: 147726 0a00e22703d26b6cb7d9c3b378f628ac
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_mipsel.deb
Size/MD5 checksum: 144892 99888c01ccac0d9faa3a5550b15fba7a
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_mipsel.deb
Size/MD5 checksum: 74218 8231602412144f158ab4d1250df32cfe
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_mipsel.deb
Size/MD5 checksum: 136538 e0bb514608d43f8c8b2316f631e7e297
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_powerpc.deb
Size/MD5 checksum: 147160 87609acb8e723f45311251cfa03faa8b
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_powerpc.deb
Size/MD5 checksum: 132642 954d78228520f1a803835405fee1a9f5
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_powerpc.deb
Size/MD5 checksum: 83158 1de0e929812f80a27c5b5ef505a74da3
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_s390.deb
Size/MD5 checksum: 85652 125b09d4165e3cc8faa822ceba8746e7
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_s390.deb
Size/MD5 checksum: 133244 c8ebef5c30d2b61def461d62b8ea7b23
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_s390.deb
Size/MD5 checksum: 148902 0ac9f485e20eaf0eff64845c96c63c02
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_sparc.deb
Size/MD5 checksum: 125152 d7b0e9e282c1f6532f2239a9eba4e207
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_sparc.deb
Size/MD5 checksum: 72892 a0fd31dbfcd9cf8301b274d733315162
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_sparc.deb
Size/MD5 checksum: 131960 95bb41d3245d5d0d6569d6fb045decba
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFMqkgZbxelr8HyTqQRAjgFAJ4vSvjB1pJAQ6K1V05ZdN9yUQLPmQCeOjmF
W8It1pOroUfphVqq2sVNN54=
=10/6
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists