Nom du paquet
apr-util
Date
2009-06-06
Advisory ID
MDVSA-2009:131
Affected versions
2009.0 x86_64 , 2009.1 i586 , 2009.0 i586 , 2008.1 i586 , CS4.0 i586 , CS4.0 x86_64 , 2008.1 x86_64 , 2009.1 x86_64

Problem description

Multiple security vulnerabilities has been identified and fixed
in apr-util:

The apr_strmatch_precompile function in strmatch/apr_strmatch.c in
Apache APR-util before 1.3.5 allows remote attackers to cause a denial
of service (daemon crash) via crafted input involving (1) a .htaccess
file used with the Apache HTTP Server, (2) the SVNMasterURI directive
in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2
module for the Apache HTTP Server, or (4) an application that uses
the libapreq2 library, related to an underflow flaw. (CVE-2009-0023).

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to
cause a denial of service (memory consumption) via a crafted XML
document containing a large number of nested entity references, as
demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
(CVE-2009-1955).

Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
before 1.3.5 on big-endian platforms allows remote attackers to obtain
sensitive information or cause a denial of service (application crash)
via crafted input (CVE-2009-1956).

The updated packages have been patched to prevent this.

Updated packages

2009.0 x86_64

 1518e4d5cc1ed90ede935be0526f45c7  2009.0/x86_64/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.x86_64.rpm
 438292564ad5f4816b611b30d5801133  2009.0/x86_64/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.x86_64.rpm
 1b9f81750a5e10163d8e1ef66824a9fd  2009.0/x86_64/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.x86_64.rpm
 5c66b915d362e2f76af8826cda7ad4f1  2009.0/x86_64/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.x86_64.rpm
 b2a87f1ad69286bb6a85cc5684e0a923  2009.0/x86_64/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.x86_64.rpm
 a83f43dbc1e469d35790aa1a416bc532  2009.0/x86_64/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.x86_64.rpm
 07799e945a1f9d8a87c1d3571b294566  2009.0/x86_64/lib64apr-util1-1.3.4-2.1mdv2009.0.x86_64.rpm
 00a029d2d94c2c148b42a577fb050230  2009.0/x86_64/lib64apr-util-devel-1.3.4-2.1mdv2009.0.x86_64.rpm 
 b26a710b3ab76a3455c379b7fb445dcd  2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm

2009.1 i586

 5dddb4e8f882abeafe169068155b39e5  2009.1/i586/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.i586.rpm
 ec7826f62f8532cc9d9f0ec4493c27a8  2009.1/i586/apr-util-dbd-ldap-1.3.4-9.1mdv2009.1.i586.rpm
 a2d652ea15ad9d6fdb20c0c4597b5e92  2009.1/i586/apr-util-dbd-mysql-1.3.4-9.1mdv2009.1.i586.rpm
 04edc5f79d1f1fb944f124be02f5f4f4  2009.1/i586/apr-util-dbd-odbc-1.3.4-9.1mdv2009.1.i586.rpm
 5d442d45fd174ede671616de3633c3d1  2009.1/i586/apr-util-dbd-pgsql-1.3.4-9.1mdv2009.1.i586.rpm
 d8c39ce871315657d14cd667b86b0a1f  2009.1/i586/apr-util-dbd-sqlite3-1.3.4-9.1mdv2009.1.i586.rpm
 53ff86d912ddd8f03f2cc7008e6b3efe  2009.1/i586/libapr-util1-1.3.4-9.1mdv2009.1.i586.rpm
 4e48b8ec5cfd96049995be6b35620777  2009.1/i586/libapr-util-devel-1.3.4-9.1mdv2009.1.i586.rpm 
 5f540f08104dd6b9308fb8a250265934  2009.1/SRPMS/apr-util-1.3.4-9.1mdv2009.1.src.rpm

2009.0 i586

 9176400dae2afb4b5b3610d2f210cc59  2009.0/i586/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.i586.rpm
 a7bf775d9602e8334e1cd741b3629968  2009.0/i586/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.i586.rpm
 3c7258acac4168f81a0c885e30bf1aba  2009.0/i586/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.i586.rpm
 7addb0ca1d17c3c13d82546ba37fe88a  2009.0/i586/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.i586.rpm
 557370eb6a25ce86b8c2b7fa09d7c272  2009.0/i586/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.i586.rpm
 32ede22cfdb2ea0e4d493a0a266f8080  2009.0/i586/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.i586.rpm
 7caa67204bbfedd4d02957e5b01d536b  2009.0/i586/libapr-util1-1.3.4-2.1mdv2009.0.i586.rpm
 73b73db72a446ef172144f87e42efab5  2009.0/i586/libapr-util-devel-1.3.4-2.1mdv2009.0.i586.rpm 
 b26a710b3ab76a3455c379b7fb445dcd  2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm

2008.1 i586

 92f1f45dfb84661bd03bf51bee6897d9  2008.1/i586/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.i586.rpm
 caef9a32c67002abedab6b0ac17b1967  2008.1/i586/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.i586.rpm
 8801ecf1cdfdc5dfa78c30bdad3cd060  2008.1/i586/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.i586.rpm
 9d66380821421ad635227dc5476318b0  2008.1/i586/libapr-util1-1.2.12-4.1mdv2008.1.i586.rpm
 1e5ddcfcc0ad295b60973b5d52d011b3  2008.1/i586/libapr-util-devel-1.2.12-4.1mdv2008.1.i586.rpm 
 e08259c07ac94bc85845f3734be8db34  2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm

CS4.0 i586

 6de99d9180e53e38ee113673a5d3e689  corporate/4.0/i586/apr-util-dbd-mysql-1.2.7-6.1.20060mlcs4.i586.rpm
 3eaf3a6c3f9e31774c8f25db25dca5be  corporate/4.0/i586/apr-util-dbd-pgsql-1.2.7-6.1.20060mlcs4.i586.rpm
 afe8fec9e8fa17db894eb98f2e35ffd7  corporate/4.0/i586/apr-util-dbd-sqlite3-1.2.7-6.1.20060mlcs4.i586.rpm
 62d0ff16e5b1e8ed25d510c660bea31a  corporate/4.0/i586/libapr-util1-1.2.7-6.1.20060mlcs4.i586.rpm
 637f00f1637a352131786816bb1a83ee  corporate/4.0/i586/libapr-util1-devel-1.2.7-6.1.20060mlcs4.i586.rpm 
 4e8d1d2aef2789c69b1cc4b146e13df0  corporate/4.0/SRPMS/apr-util-1.2.7-6.1.20060mlcs4.src.rpm

CS4.0 x86_64

 d5158329088f973b19537ec3ce81ca15  corporate/4.0/x86_64/apr-util-dbd-mysql-1.2.7-6.1.20060mlcs4.x86_64.rpm
 f3ca6e7dbf32fc8984091a231a783062  corporate/4.0/x86_64/apr-util-dbd-pgsql-1.2.7-6.1.20060mlcs4.x86_64.rpm
 20cbdcfc13ed4dd3c7a96d332598aa9d  corporate/4.0/x86_64/apr-util-dbd-sqlite3-1.2.7-6.1.20060mlcs4.x86_64.rpm
 7680ac2c17b071b8bb7d7df7aa819587  corporate/4.0/x86_64/lib64apr-util1-1.2.7-6.1.20060mlcs4.x86_64.rpm
 b78edda70db885ac7c910be07d1ab335  corporate/4.0/x86_64/lib64apr-util1-devel-1.2.7-6.1.20060mlcs4.x86_64.rpm 
 4e8d1d2aef2789c69b1cc4b146e13df0  corporate/4.0/SRPMS/apr-util-1.2.7-6.1.20060mlcs4.src.rpm

2008.1 x86_64

 d56edd77f88f36b09f83b713c9d8ffa2  2008.1/x86_64/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.x86_64.rpm
 0d92993cb208bb096a8ea368f54fe11f  2008.1/x86_64/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.x86_64.rpm
 1dc136b490ff75420d7c574ef8c3171b  2008.1/x86_64/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.x86_64.rpm
 f45811447bb16f318e801358dd204ed3  2008.1/x86_64/lib64apr-util1-1.2.12-4.1mdv2008.1.x86_64.rpm
 dc610ef400bafbcb7661a211c14b5391  2008.1/x86_64/lib64apr-util-devel-1.2.12-4.1mdv2008.1.x86_64.rpm 
 e08259c07ac94bc85845f3734be8db34  2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm

2009.1 x86_64

 2a2b2b3ad850b47a0e46e3887b2444bb  2009.1/x86_64/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.x86_64.rpm
 20da927348792593bc861c87c179731c  2009.1/x86_64/apr-util-dbd-ldap-1.3.4-9.1mdv2009.1.x86_64.rpm
 0abf7046538fcdacef067f84313fbbc5  2009.1/x86_64/apr-util-dbd-mysql-1.3.4-9.1mdv2009.1.x86_64.rpm
 0292409a75181175cde3f1a012ecb2af  2009.1/x86_64/apr-util-dbd-odbc-1.3.4-9.1mdv2009.1.x86_64.rpm
 a4045886cba9ffc7a26b6aaf9576a4ba  2009.1/x86_64/apr-util-dbd-pgsql-1.3.4-9.1mdv2009.1.x86_64.rpm
 8010ff96d9520f1785b4afc08f04ad5b  2009.1/x86_64/apr-util-dbd-sqlite3-1.3.4-9.1mdv2009.1.x86_64.rpm
 e715d3c003d71105ff333b4ea1a22437  2009.1/x86_64/lib64apr-util1-1.3.4-9.1mdv2009.1.x86_64.rpm
 b187dd640492b20701e9689036c23ff9  2009.1/x86_64/lib64apr-util-devel-1.3.4-9.1mdv2009.1.x86_64.rpm 
 5f540f08104dd6b9308fb8a250265934  2009.1/SRPMS/apr-util-1.3.4-9.1mdv2009.1.src.rpm

References