-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:131 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apr-util Date : June 6, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple security vulnerabilities has been identified and fixed in apr-util: The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, related to an underflow flaw. (CVE-2009-0023). The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564 (CVE-2009-1955). Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input (CVE-2009-1956). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 92f1f45dfb84661bd03bf51bee6897d9 2008.1/i586/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.i586.rpm caef9a32c67002abedab6b0ac17b1967 2008.1/i586/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.i586.rpm 8801ecf1cdfdc5dfa78c30bdad3cd060 2008.1/i586/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.i586.rpm 9d66380821421ad635227dc5476318b0 2008.1/i586/libapr-util1-1.2.12-4.1mdv2008.1.i586.rpm 1e5ddcfcc0ad295b60973b5d52d011b3 2008.1/i586/libapr-util-devel-1.2.12-4.1mdv2008.1.i586.rpm e08259c07ac94bc85845f3734be8db34 2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: d56edd77f88f36b09f83b713c9d8ffa2 2008.1/x86_64/apr-util-dbd-mysql-1.2.12-4.1mdv2008.1.x86_64.rpm 0d92993cb208bb096a8ea368f54fe11f 2008.1/x86_64/apr-util-dbd-pgsql-1.2.12-4.1mdv2008.1.x86_64.rpm 1dc136b490ff75420d7c574ef8c3171b 2008.1/x86_64/apr-util-dbd-sqlite3-1.2.12-4.1mdv2008.1.x86_64.rpm f45811447bb16f318e801358dd204ed3 2008.1/x86_64/lib64apr-util1-1.2.12-4.1mdv2008.1.x86_64.rpm dc610ef400bafbcb7661a211c14b5391 2008.1/x86_64/lib64apr-util-devel-1.2.12-4.1mdv2008.1.x86_64.rpm e08259c07ac94bc85845f3734be8db34 2008.1/SRPMS/apr-util-1.2.12-4.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 9176400dae2afb4b5b3610d2f210cc59 2009.0/i586/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.i586.rpm a7bf775d9602e8334e1cd741b3629968 2009.0/i586/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.i586.rpm 3c7258acac4168f81a0c885e30bf1aba 2009.0/i586/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.i586.rpm 7addb0ca1d17c3c13d82546ba37fe88a 2009.0/i586/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.i586.rpm 557370eb6a25ce86b8c2b7fa09d7c272 2009.0/i586/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.i586.rpm 32ede22cfdb2ea0e4d493a0a266f8080 2009.0/i586/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.i586.rpm 7caa67204bbfedd4d02957e5b01d536b 2009.0/i586/libapr-util1-1.3.4-2.1mdv2009.0.i586.rpm 73b73db72a446ef172144f87e42efab5 2009.0/i586/libapr-util-devel-1.3.4-2.1mdv2009.0.i586.rpm b26a710b3ab76a3455c379b7fb445dcd 2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 1518e4d5cc1ed90ede935be0526f45c7 2009.0/x86_64/apr-util-dbd-freetds-1.3.4-2.1mdv2009.0.x86_64.rpm 438292564ad5f4816b611b30d5801133 2009.0/x86_64/apr-util-dbd-ldap-1.3.4-2.1mdv2009.0.x86_64.rpm 1b9f81750a5e10163d8e1ef66824a9fd 2009.0/x86_64/apr-util-dbd-mysql-1.3.4-2.1mdv2009.0.x86_64.rpm 5c66b915d362e2f76af8826cda7ad4f1 2009.0/x86_64/apr-util-dbd-odbc-1.3.4-2.1mdv2009.0.x86_64.rpm b2a87f1ad69286bb6a85cc5684e0a923 2009.0/x86_64/apr-util-dbd-pgsql-1.3.4-2.1mdv2009.0.x86_64.rpm a83f43dbc1e469d35790aa1a416bc532 2009.0/x86_64/apr-util-dbd-sqlite3-1.3.4-2.1mdv2009.0.x86_64.rpm 07799e945a1f9d8a87c1d3571b294566 2009.0/x86_64/lib64apr-util1-1.3.4-2.1mdv2009.0.x86_64.rpm 00a029d2d94c2c148b42a577fb050230 2009.0/x86_64/lib64apr-util-devel-1.3.4-2.1mdv2009.0.x86_64.rpm b26a710b3ab76a3455c379b7fb445dcd 2009.0/SRPMS/apr-util-1.3.4-2.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 5dddb4e8f882abeafe169068155b39e5 2009.1/i586/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.i586.rpm ec7826f62f8532cc9d9f0ec4493c27a8 2009.1/i586/apr-util-dbd-ldap-1.3.4-9.1mdv2009.1.i586.rpm a2d652ea15ad9d6fdb20c0c4597b5e92 2009.1/i586/apr-util-dbd-mysql-1.3.4-9.1mdv2009.1.i586.rpm 04edc5f79d1f1fb944f124be02f5f4f4 2009.1/i586/apr-util-dbd-odbc-1.3.4-9.1mdv2009.1.i586.rpm 5d442d45fd174ede671616de3633c3d1 2009.1/i586/apr-util-dbd-pgsql-1.3.4-9.1mdv2009.1.i586.rpm d8c39ce871315657d14cd667b86b0a1f 2009.1/i586/apr-util-dbd-sqlite3-1.3.4-9.1mdv2009.1.i586.rpm 53ff86d912ddd8f03f2cc7008e6b3efe 2009.1/i586/libapr-util1-1.3.4-9.1mdv2009.1.i586.rpm 4e48b8ec5cfd96049995be6b35620777 2009.1/i586/libapr-util-devel-1.3.4-9.1mdv2009.1.i586.rpm 5f540f08104dd6b9308fb8a250265934 2009.1/SRPMS/apr-util-1.3.4-9.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 2a2b2b3ad850b47a0e46e3887b2444bb 2009.1/x86_64/apr-util-dbd-freetds-1.3.4-9.1mdv2009.1.x86_64.rpm 20da927348792593bc861c87c179731c 2009.1/x86_64/apr-util-dbd-ldap-1.3.4-9.1mdv2009.1.x86_64.rpm 0abf7046538fcdacef067f84313fbbc5 2009.1/x86_64/apr-util-dbd-mysql-1.3.4-9.1mdv2009.1.x86_64.rpm 0292409a75181175cde3f1a012ecb2af 2009.1/x86_64/apr-util-dbd-odbc-1.3.4-9.1mdv2009.1.x86_64.rpm a4045886cba9ffc7a26b6aaf9576a4ba 2009.1/x86_64/apr-util-dbd-pgsql-1.3.4-9.1mdv2009.1.x86_64.rpm 8010ff96d9520f1785b4afc08f04ad5b 2009.1/x86_64/apr-util-dbd-sqlite3-1.3.4-9.1mdv2009.1.x86_64.rpm e715d3c003d71105ff333b4ea1a22437 2009.1/x86_64/lib64apr-util1-1.3.4-9.1mdv2009.1.x86_64.rpm b187dd640492b20701e9689036c23ff9 2009.1/x86_64/lib64apr-util-devel-1.3.4-9.1mdv2009.1.x86_64.rpm 5f540f08104dd6b9308fb8a250265934 2009.1/SRPMS/apr-util-1.3.4-9.1mdv2009.1.src.rpm Corporate 4.0: 6de99d9180e53e38ee113673a5d3e689 corporate/4.0/i586/apr-util-dbd-mysql-1.2.7-6.1.20060mlcs4.i586.rpm 3eaf3a6c3f9e31774c8f25db25dca5be corporate/4.0/i586/apr-util-dbd-pgsql-1.2.7-6.1.20060mlcs4.i586.rpm afe8fec9e8fa17db894eb98f2e35ffd7 corporate/4.0/i586/apr-util-dbd-sqlite3-1.2.7-6.1.20060mlcs4.i586.rpm 62d0ff16e5b1e8ed25d510c660bea31a corporate/4.0/i586/libapr-util1-1.2.7-6.1.20060mlcs4.i586.rpm 637f00f1637a352131786816bb1a83ee corporate/4.0/i586/libapr-util1-devel-1.2.7-6.1.20060mlcs4.i586.rpm 4e8d1d2aef2789c69b1cc4b146e13df0 corporate/4.0/SRPMS/apr-util-1.2.7-6.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: d5158329088f973b19537ec3ce81ca15 corporate/4.0/x86_64/apr-util-dbd-mysql-1.2.7-6.1.20060mlcs4.x86_64.rpm f3ca6e7dbf32fc8984091a231a783062 corporate/4.0/x86_64/apr-util-dbd-pgsql-1.2.7-6.1.20060mlcs4.x86_64.rpm 20cbdcfc13ed4dd3c7a96d332598aa9d corporate/4.0/x86_64/apr-util-dbd-sqlite3-1.2.7-6.1.20060mlcs4.x86_64.rpm 7680ac2c17b071b8bb7d7df7aa819587 corporate/4.0/x86_64/lib64apr-util1-1.2.7-6.1.20060mlcs4.x86_64.rpm b78edda70db885ac7c910be07d1ab335 corporate/4.0/x86_64/lib64apr-util1-devel-1.2.7-6.1.20060mlcs4.x86_64.rpm 4e8d1d2aef2789c69b1cc4b146e13df0 corporate/4.0/SRPMS/apr-util-1.2.7-6.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKKsBgmqjQ0CJFipgRAryqAJ43uOjXmQp4I1cr16CXJMLnyNFKfQCffu5h qObBjyzCi7PWfx6IM1WMldQ= =2E5N -----END PGP SIGNATURE-----