exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2009-131

Mandriva Linux Security Advisory 2009-131
Posted Jun 8, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-131-1 - Multiple security vulnerabilities including off-by-one and denial of service issues have been identified and fixed in apr-util. Fixed packages for CS3 and MNF2 was missing with the last update.

tags | advisory, denial of service, vulnerability
systems | linux, mandriva
advisories | CVE-2009-0023, CVE-2009-1955, CVE-2009-1956
SHA-256 | eb63653bb7f489ede1977452aee2e71e5ab8b2560985348a5c4db17376cba613

Mandriva Linux Security Advisory 2009-131

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:131-1
http://www.mandriva.com/security/
_______________________________________________________________________

Package : apr-util
Date : June 6, 2009
Affected: Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Multiple security vulnerabilities has been identified and fixed
in apr-util:

The apr_strmatch_precompile function in strmatch/apr_strmatch.c in
Apache APR-util before 1.3.5 allows remote attackers to cause a denial
of service (daemon crash) via crafted input involving (1) a .htaccess
file used with the Apache HTTP Server, (2) the SVNMasterURI directive
in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2
module for the Apache HTTP Server, or (4) an application that uses
the libapreq2 library, related to an underflow flaw. (CVE-2009-0023).

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to
cause a denial of service (memory consumption) via a crafted XML
document containing a large number of nested entity references, as
demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
(CVE-2009-1955).

Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
before 1.3.5 on big-endian platforms allows remote attackers to obtain
sensitive information or cause a denial of service (application crash)
via crafted input (CVE-2009-1956).

The updated packages have been patched to prevent this.

Update:

Fixed packages for CS3 and MNF2 was missing with the last update.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
_______________________________________________________________________

Updated Packages:

Corporate 3.0:
6438073fa2571cedb2edcb8a695bda16 corporate/3.0/i586/apache2-2.0.48-6.20.C30mdk.i586.rpm
12e8afeabb65ea4abf905524fd61b343 corporate/3.0/i586/apache2-common-2.0.48-6.20.C30mdk.i586.rpm
4eadd42fb186a26d786d25362533e82a corporate/3.0/i586/apache2-devel-2.0.48-6.20.C30mdk.i586.rpm
832d9dbd5600782a929b71bd7e6f61bb corporate/3.0/i586/apache2-manual-2.0.48-6.20.C30mdk.i586.rpm
750c02cf0859b7b317f124c5107a5b07 corporate/3.0/i586/apache2-mod_cache-2.0.48-6.20.C30mdk.i586.rpm
9ed613802d3e5f8fc088b8465428f1d9 corporate/3.0/i586/apache2-mod_dav-2.0.48-6.20.C30mdk.i586.rpm
9030c9382a9d4d3020b8fd815cbabaa7 corporate/3.0/i586/apache2-mod_deflate-2.0.48-6.20.C30mdk.i586.rpm
8e98aa19ce3197ae31f870c84402e1ea corporate/3.0/i586/apache2-mod_disk_cache-2.0.48-6.20.C30mdk.i586.rpm
97233182b774c4350d05e4e7422aca65 corporate/3.0/i586/apache2-mod_file_cache-2.0.48-6.20.C30mdk.i586.rpm
40e47234eb2605375c5fc717659e0eae corporate/3.0/i586/apache2-mod_ldap-2.0.48-6.20.C30mdk.i586.rpm
80dfaf750009361fe621c594bec5efb7 corporate/3.0/i586/apache2-mod_mem_cache-2.0.48-6.20.C30mdk.i586.rpm
6573645bbb414f59115229207305a3f3 corporate/3.0/i586/apache2-mod_proxy-2.0.48-6.20.C30mdk.i586.rpm
612e933acc767970ecdf1f23e62c2ebf corporate/3.0/i586/apache2-mod_ssl-2.0.48-6.20.C30mdk.i586.rpm
dc00610fd6633f63f891c5f768a22acd corporate/3.0/i586/apache2-modules-2.0.48-6.20.C30mdk.i586.rpm
5241d3032ae49713e43d07d39fbbee04 corporate/3.0/i586/apache2-source-2.0.48-6.20.C30mdk.i586.rpm
34d3d434bc723130e6e59049b5e3939a corporate/3.0/i586/libapr0-2.0.48-6.20.C30mdk.i586.rpm
f048b454b9bf609c1cc7b13c413387d4 corporate/3.0/SRPMS/apache2-2.0.48-6.20.C30mdk.src.rpm

Corporate 3.0/X86_64:
755b2e066f779fa9aad5f403335e1f75 corporate/3.0/x86_64/apache2-2.0.48-6.20.C30mdk.x86_64.rpm
42bc30427c45df83d7a0fbb5bee60505 corporate/3.0/x86_64/apache2-common-2.0.48-6.20.C30mdk.x86_64.rpm
783174aa020c5b14095087172bade395 corporate/3.0/x86_64/apache2-devel-2.0.48-6.20.C30mdk.x86_64.rpm
4b54570bdb7f6aa29d370a9250a55450 corporate/3.0/x86_64/apache2-manual-2.0.48-6.20.C30mdk.x86_64.rpm
9fb862a630cc2fdddf5aadffc73d8f03 corporate/3.0/x86_64/apache2-mod_cache-2.0.48-6.20.C30mdk.x86_64.rpm
ce00089db719cc5fccf8c5ed614e0f86 corporate/3.0/x86_64/apache2-mod_dav-2.0.48-6.20.C30mdk.x86_64.rpm
6c7ce93e4faf3910a4e37ecfb3aa6bcf corporate/3.0/x86_64/apache2-mod_deflate-2.0.48-6.20.C30mdk.x86_64.rpm
084c2310ae92da6d58f2c2d9748ef947 corporate/3.0/x86_64/apache2-mod_disk_cache-2.0.48-6.20.C30mdk.x86_64.rpm
338bedc1f695ac29257f4fbbbae0e913 corporate/3.0/x86_64/apache2-mod_file_cache-2.0.48-6.20.C30mdk.x86_64.rpm
429fcecf3fa53ec73c1c2082a06c8a7b corporate/3.0/x86_64/apache2-mod_ldap-2.0.48-6.20.C30mdk.x86_64.rpm
34b8969d6cdf063c24c3db5da60b66ed corporate/3.0/x86_64/apache2-mod_mem_cache-2.0.48-6.20.C30mdk.x86_64.rpm
b4ff66b59400e60406286db040351c46 corporate/3.0/x86_64/apache2-mod_proxy-2.0.48-6.20.C30mdk.x86_64.rpm
e0fce8ab4362f1a40461af7cc1f388c0 corporate/3.0/x86_64/apache2-mod_ssl-2.0.48-6.20.C30mdk.x86_64.rpm
6da81ad00ba8f7e6f35e18a81b79ecc4 corporate/3.0/x86_64/apache2-modules-2.0.48-6.20.C30mdk.x86_64.rpm
3cef182192afb5a101aed6b824d9950a corporate/3.0/x86_64/apache2-source-2.0.48-6.20.C30mdk.x86_64.rpm
7b3b62b6b01d77c344a66b74f6fc92c0 corporate/3.0/x86_64/lib64apr0-2.0.48-6.20.C30mdk.x86_64.rpm
f048b454b9bf609c1cc7b13c413387d4 corporate/3.0/SRPMS/apache2-2.0.48-6.20.C30mdk.src.rpm

Multi Network Firewall 2.0:
dc646d83c4a17cd5253cad5627b27baf mnf/2.0/i586/apache2-2.0.48-6.20.C30mdk.i586.rpm
b3e5796e1c8b600153bb7760aa3c7c44 mnf/2.0/i586/apache2-common-2.0.48-6.20.C30mdk.i586.rpm
0c1b528680931b0d0d62aed029c00cc2 mnf/2.0/i586/apache2-devel-2.0.48-6.20.C30mdk.i586.rpm
3951d007d5ba03eec47465eaabfe3f23 mnf/2.0/i586/apache2-manual-2.0.48-6.20.C30mdk.i586.rpm
8e55c40e40744a064882cd0fa4ef5cf0 mnf/2.0/i586/apache2-mod_cache-2.0.48-6.20.C30mdk.i586.rpm
3f91a25523c535522cc84ff120fdc0ed mnf/2.0/i586/apache2-mod_dav-2.0.48-6.20.C30mdk.i586.rpm
f2b9e2ce65a8b9195befd7ac0250e6c4 mnf/2.0/i586/apache2-mod_deflate-2.0.48-6.20.C30mdk.i586.rpm
6c612ca239c1e15ca44beea45802d2ca mnf/2.0/i586/apache2-mod_disk_cache-2.0.48-6.20.C30mdk.i586.rpm
1fe18f3beae65e236fc2ebb124fac665 mnf/2.0/i586/apache2-mod_file_cache-2.0.48-6.20.C30mdk.i586.rpm
239baa6e2e43f7e4d8b68ba57d604f2c mnf/2.0/i586/apache2-mod_ldap-2.0.48-6.20.C30mdk.i586.rpm
0b90721f4df783807ad1a10608f6bab1 mnf/2.0/i586/apache2-mod_mem_cache-2.0.48-6.20.C30mdk.i586.rpm
7f372005bb7420f976f2841f86c97397 mnf/2.0/i586/apache2-mod_proxy-2.0.48-6.20.C30mdk.i586.rpm
41edbf29d8d04a4eb449b3c7970ac106 mnf/2.0/i586/apache2-mod_ssl-2.0.48-6.20.C30mdk.i586.rpm
0173e0d347b2f8371cb2ebd8224e9953 mnf/2.0/i586/apache2-modules-2.0.48-6.20.C30mdk.i586.rpm
2ce003b3977c10d3e88b2d6c1dad3f9b mnf/2.0/i586/apache2-source-2.0.48-6.20.C30mdk.i586.rpm
f4e5264b902bfb715cb473971f15919b mnf/2.0/i586/libapr0-2.0.48-6.20.C30mdk.i586.rpm
8378e9f5191f581f69e6035c384a18d9 mnf/2.0/SRPMS/apache2-2.0.48-6.20.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKKs7EmqjQ0CJFipgRAvW1AKDFncWXD3WDxWdnZ15jHvdjXjvsjwCfYM/c
qWtinAYlUKkAjD1lrgm+KdM=
=o+c7
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close