Pardus: Apr-util: Multiple Vulnerabilities - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Security Week: February 6th, 2012

Linux Advisory Watch: February 3rd, 2012

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Pardus: Apr-util: Multiple Vulnerabilities

User Rating:

How can I rate this item?

Posted by Benjamin D. Thomas

Some vulnerabilities have been reported in APR-util, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).


------------------------------------------------------------------------
Pardus Linux Security Advisory 2009-89            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2009-06-13
  Severity: 2
      Type: Remote
------------------------------------------------------------------------

Summary
=======

Some vulnerabilities have been  reported  in  APR-util,  which  can  be
exploited by malicious users and malicious people to cause a DoS (Denial
of Service).


Description
===========

1) A vulnerability is caused due to an error in the processing  of  XML
files and can be exploited  to  exhaust  all  available  memory  via  a
specially crafted XML file containing a  predefined  entity  inside  an
entity definition.

2)  A vulnerability  is  caused   due   to   an   error   within   the
"apr_strmatch_precompile()" function in strmatch/apr_strmatch.c,  which
can be exploited to crash an application using the library.

3) Off-by-one error in the apr_brigade_vprintf function  on  big-endian
platforms allows remote attackers to obtain  sensitive  information  or
cause a denial of service (application crash) via crafted input.



Affected packages:

  Pardus 2008:
    apr-util, all before 1.2.12-7-3


Resolution
==========

There are update(s) for apr-util.  You  can  update  them  via  Package
Manager or with a single command from console:

    pisi up apr-util

References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=9980
  * http://bugs.pardus.org.tr/show_bug.cgi?id=9981
  * http://bugs.pardus.org.tr/show_bug.cgi?id=9982
  * http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0023
  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1955
  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1956
  * http://secunia.com/advisories/35284