MDVSA-2012:019

Package name

apr

Date

2012-02-14

Advisory ID

MDVSA-2012:019

Affected versions

MES5 i586 , 2010.1 i586 , 2011 x86_64 , 2011 i586 , MES5 x86_64 , 2010.1 x86_64

Problem description

A vulnerability has been found and corrected in ASF APR:

tables/apr_hash.c in the Apache Portable Runtime (APR) library through
1.4.5 computes hash values without restricting the ability to trigger
hash collisions predictably, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via crafted input to
an application that maintains a hash table (CVE-2012-0840).

APR has been upgraded to the latest version (1.4.6) which holds
many improvments over the previous versions and is not vulnerable to
this issue.

Updated packages

MES5 i586

 173d17df305532e677eacb61427fc290  mes5/i586/libapr1-1.4.6-0.1mdvmes5.2.i586.rpm
 cd21d21a2fef2b9cc5b5f13c3bb78e74  mes5/i586/libapr-devel-1.4.6-0.1mdvmes5.2.i586.rpm 
 9eb866bcc8c407845edf67c6be078bcc  mes5/SRPMS/apr-1.4.6-0.1mdvmes5.2.src.rpm

2010.1 i586

 1de7664f663207ff2e2b66ed38059f04  2010.1/i586/libapr1-1.4.6-0.1mdv2010.2.i586.rpm
 f371aea1ad44fcdbc45d63c759ef7fb0  2010.1/i586/libapr-devel-1.4.6-0.1mdv2010.2.i586.rpm 
 698b79ec7009e77ba8d7d53b71434950  2010.1/SRPMS/apr-1.4.6-0.1mdv2010.2.src.rpm

2011 x86_64

 9d4e2c286abf5a227512c75b3f0ccb18  2011/x86_64/lib64apr1-1.4.6-0.1-mdv2011.0.x86_64.rpm
 05a9e3242ea9058d591849c035960c55  2011/x86_64/lib64apr-devel-1.4.6-0.1-mdv2011.0.x86_64.rpm 
 408e2ed975392cc47e9c0e6dce697d12  2011/SRPMS/apr-1.4.6-0.1.src.rpm

2011 i586

 1a06fc6721c20f950a04dc067344bbe4  2011/i586/libapr1-1.4.6-0.1-mdv2011.0.i586.rpm
 ba7aaaaadf1e8336afb4c43b03cb9054  2011/i586/libapr-devel-1.4.6-0.1-mdv2011.0.i586.rpm 
 408e2ed975392cc47e9c0e6dce697d12  2011/SRPMS/apr-1.4.6-0.1.src.rpm

MES5 x86_64

 029327d54965590a23af96af702af87a  mes5/x86_64/lib64apr1-1.4.6-0.1mdvmes5.2.x86_64.rpm
 c8f4a0942de90fef566282be2272b0e3  mes5/x86_64/lib64apr-devel-1.4.6-0.1mdvmes5.2.x86_64.rpm 
 9eb866bcc8c407845edf67c6be078bcc  mes5/SRPMS/apr-1.4.6-0.1mdvmes5.2.src.rpm

2010.1 x86_64

 d3f53d0a19a448ffc48bb000278e0284  2010.1/x86_64/lib64apr1-1.4.6-0.1mdv2010.2.x86_64.rpm
 04118f9682910695ba84d82a32c98c32  2010.1/x86_64/lib64apr-devel-1.4.6-0.1mdv2010.2.x86_64.rpm 
 698b79ec7009e77ba8d7d53b71434950  2010.1/SRPMS/apr-1.4.6-0.1mdv2010.2.src.rpm

References

• http://www.apache.org/dist/apr/CHANGES-APR-1.4
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0840