=========================================================== Ubuntu Security Notice USN-786-1 June 10, 2009 apr-util vulnerabilities CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libaprutil1 1.2.12+dfsg-3ubuntu0.1 Ubuntu 8.10: libaprutil1 1.2.12+dfsg-7ubuntu0.1 Ubuntu 9.04: libaprutil1 1.2.12+dfsg-8ubuntu0.1 After a standard system upgrade you need to restart any services that use apr-util, such as Apache or svnserve, to effect the necessary changes. Details follow: Matthew Palmer discovered an underflow flaw in apr-util. An attacker could cause a denial of service via application crash in Apache using a crafted SVNMasterURI directive, .htaccess file, or when using mod_apreq2. Applications using libapreq2 are also affected. (CVE-2009-0023) It was discovered that the XML parser did not properly handle entity expansion. A remote attacker could cause a denial of service via memory resource consumption by sending a crafted request to an Apache server configured to use mod_dav or mod_dav_svn. (CVE-2009-1955) C. Michael Pilato discovered an off-by-one buffer overflow in apr-util when formatting certain strings. For big-endian machines (powerpc, hppa and sparc in Ubuntu), a remote attacker could cause a denial of service or information disclosure leak. All other architectures for Ubuntu are not considered to be at risk. (CVE-2009-1956) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-3ubuntu0.1.diff.gz Size/MD5: 24574 b2420f470b89f1615f057ab0d7a8fb1b http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-3ubuntu0.1.dsc Size/MD5: 1324 3d8d31431281ace5a474c086b81ca68d http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz Size/MD5: 658687 4ef3e41037fe0cdd3a0d107335a008eb amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_amd64.deb Size/MD5: 133066 7b3c573fcd12d1d298a72836e30c7871 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_amd64.deb Size/MD5: 129888 997d790d176112338827b7ec69b2b875 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_amd64.deb Size/MD5: 75868 fb5b2593ec7f988da308d5bc49262792 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_i386.deb Size/MD5: 126324 c5e0c3e481955d77d6dcb6b6e0062faf http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_i386.deb Size/MD5: 119408 3e6ac00f8f52fe380dce9f229d44e1e4 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_i386.deb Size/MD5: 70352 ce4883670593cd7101bb512b75f511ab lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_lpia.deb Size/MD5: 128056 da36f9545e11be1121f988e6ed9b927b http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_lpia.deb Size/MD5: 119064 249b96b4bd8bfac97a613cd9bde37e7f http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_lpia.deb Size/MD5: 69540 3df182c1e62ba76c7d530da9de4e91f8 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_powerpc.deb Size/MD5: 133836 0f893ec4252c3dd37be0a1fa1dc34bde http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_powerpc.deb Size/MD5: 130282 0d4c0efa6ec794122aff6b7ee2f2814e http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_powerpc.deb Size/MD5: 80120 da8d5adb86e4a0cbf17dd9beec0eb702 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_sparc.deb Size/MD5: 120154 80d4bd5baf2481590d2027564cbe01b6 http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_sparc.deb Size/MD5: 124164 30a88899ff268cd92b320fcad4537cc5 http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_sparc.deb Size/MD5: 71116 abe3f0348d5243b121b1d5ec057afc59 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-7ubuntu0.1.diff.gz Size/MD5: 25591 0b7395302ddb00bea5a5e08e5c853b9b http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-7ubuntu0.1.dsc Size/MD5: 1632 f7ec40dbe488612dfaa923d4fdcce0cc http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz Size/MD5: 658687 4ef3e41037fe0cdd3a0d107335a008eb amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_amd64.deb Size/MD5: 150754 c62d95de736540118e79d55a19cbfe88 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_amd64.deb Size/MD5: 136314 ba94c537013ce62bf156f611daf871be http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_amd64.deb Size/MD5: 82382 d048ffe3b1c1957ceaa0e078465bec83 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_i386.deb Size/MD5: 144020 590a52c97853ed46cbb0ba59cf17675c http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_i386.deb Size/MD5: 124820 c8be5124f0e16940e3e23f24af228af8 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_i386.deb Size/MD5: 75830 d45ad82f9d0f20fb55b0f7d35128661a lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_lpia.deb Size/MD5: 145348 c88756b31e3bf6b36912088c35e3a713 http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_lpia.deb Size/MD5: 124594 d5dfdcd3f7aa11f939714028e94dc6ed http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_lpia.deb Size/MD5: 75150 ce8f9914f29d4742ec3a4f99b3c59393 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_powerpc.deb Size/MD5: 150190 bd1adf49cd11f9f18ce6b9ec093aca93 http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_powerpc.deb Size/MD5: 135892 9e3ed838d846fac285427123af1930f3 http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_powerpc.deb Size/MD5: 84846 135994ac372c8c6614d418351ddc9fd5 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_sparc.deb Size/MD5: 135354 3aad2512d439e310004e9e47b14319cd http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_sparc.deb Size/MD5: 128358 0ce0c3418e47b4dfd55be998ba082d88 http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_sparc.deb Size/MD5: 75364 0b0634bcc540b68444fdf1f2ecfde92b Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-8ubuntu0.1.diff.gz Size/MD5: 22846 206a190e418ef32ac80cb21976c0c535 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-8ubuntu0.1.dsc Size/MD5: 1630 42152b61158055a6b248bafa3d3ccb65 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz Size/MD5: 658687 4ef3e41037fe0cdd3a0d107335a008eb amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_amd64.deb Size/MD5: 147306 918e2ade399f448b01883ea45fccbc52 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_amd64.deb Size/MD5: 132960 5ea0a03316d69002c76510b9ebba4bef http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_amd64.deb Size/MD5: 78924 2e42e78880ad1b0fd689b6b304a8be28 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_i386.deb Size/MD5: 140514 2bc7d4bc488b864fce998161118e952a http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_i386.deb Size/MD5: 121226 7299c4f38d94e46cbb1014fe2b7650fc http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_i386.deb Size/MD5: 72416 1102da0f14f8c08d5279861ba69f4b18 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_lpia.deb Size/MD5: 141702 4e7eb2cad127657ea22ff81d03aac32e http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_lpia.deb Size/MD5: 120970 4999f99cdce03e3f9693bb678edc65b6 http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_lpia.deb Size/MD5: 71822 9abb9a40c00e626718ee86a981608c5a powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_powerpc.deb Size/MD5: 146566 1f745e1d18b2c10c0318629ac6ee6d67 http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_powerpc.deb Size/MD5: 132458 c5c91538a415db18d285076e6e8fc7ff http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_powerpc.deb Size/MD5: 81408 75bfc684ae3a41319b94b5f3ed808914 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_sparc.deb Size/MD5: 131386 50dfb432a206f070517394d1b1403bab http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_sparc.deb Size/MD5: 124770 aea3ccb26d29a0cd3cc59b52a96c01db http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_sparc.deb Size/MD5: 71726 c1a1dacde51cd734af53a48f2214f2ca