apr-util-1.2.7-7AXS3.1

エラータID: AXSA:2009-69:01

Release date: 
Thursday, June 18, 2009 - 14:42
Subject: 
apr-util-1.2.7-7AXS3.1
Affected Channels: 
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity: 
High
Description: 

The mission of the Apache Portable Runtime (APR) is to provide a free library of C data structures and routines. This library contains additional utility interfaces for APR; including support for XML, LDAP, database interfaces, URI parsing and more.
Fixed bugs:
CVE-2009-0023
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, related to an underflow flaw.
CVE-2009-1955
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
CVE-2009-1956
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.

Solution: 

Update packages.

CVEs: 
CVE-2009-0023
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.
CVE-2009-1955
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
CVE-2009-1956
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.




Additional Info: 

N/A

Download: 

SRPMS
  1. apr-util-1.2.7-7AXS3.1.src.rpm
    MD5: d8903dc666d6e37cc796e0f4d28bf553
    SHA-256: 74c84f9cdfec3f29509467ffd2d42ccba4a1ef045c66e4c898cabf50e9acfea1
    Size: 638.50 kB

Asianux Server 3 for x86
  1. apr-util-1.2.7-7AXS3.1.i386.rpm
    MD5: e8b491aa582ca40c5b696dc4fd49cc20
    SHA-256: 1b91e1d7b83cc61f268c9d69486474a5eacdab593e264fd772e8aaf017191834
    Size: 76.06 kB
  2. apr-util-devel-1.2.7-7AXS3.1.i386.rpm
    MD5: ed6f827aa511d4af835dcb8be1a8ff68
    SHA-256: 80e2f5500cbe95acf5cc58ee523cffd977b49202c65718819bf536357a56201b
    Size: 54.94 kB

Asianux Server 3 for x86_64
  1. apr-util-1.2.7-7AXS3.1.x86_64.rpm
    MD5: 3c7b9711844db7f028605130c6f3badb
    SHA-256: ee409177a3c6841b15efc4fedcc3b7e63a316bcb79a9a9dcfab018541c565476
    Size: 73.63 kB
  2. apr-util-devel-1.2.7-7AXS3.1.x86_64.rpm
    MD5: c097f6287694233dfe28884ef51a95f1
    SHA-256: 33bc2e336811a2952d48de6d9381a27e15d0928137d8f70030d76fea97b09dbd
    Size: 55.10 kB