Mandriva Linux Security Advisory 2009:314: apr
-
- 32
Article Source Mandriva Linux Security Advisories
Multiple security vulnerabilities has been identified and fixed in
apr and apr-util:
Multiple integer overflows in the Apache Portable Runtime (APR)
library and the Apache Portable Utility library (aka APR-util)
0.9.x and 1.3.x allow remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via vectors that
trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc
function in memory/unix/apr_pools.c in APR; or crafted calls to
the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc
function in misc/apr_rmm.c in APR-util; leading to buffer overflows.
NOTE: some of these details are obtained from third party information
(CVE-2009-2412).
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in
Apache APR-util before 1.3.5 allows remote attackers to cause a denial
of service (daemon crash) via crafted input involving (1) a .htaccess
file used with the Apache HTTP Server, (2) the SVNMasterURI directive
in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2
module for the Apache HTTP Server, or (4) an application that uses
the libapreq2 library, related to an underflow flaw. (CVE-2009-0023).
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to
cause a denial of service (memory consumption) via a crafted XML
document containing a large number of nested entity references, as
demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564
(CVE-2009-1955).
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util
before 1.3.5 on big-endian platforms allows remote attackers to obtain
sensitive information or cause a denial of service (application crash)
via crafted input (CVE-2009-1956).
Packages for 2008.0 are being provided due to extended support for
Corporate products.
The updated packages have been patched to prevent this.
Article Source Mandriva Linux Security Advisories Multiple security vulnerabilities has been identified and fixed inapr and apr-util: Multiple integer overflows in the Apache Portable Runtime (APR)library and the Apache Portable Utility library (aka APR-util)0.9.x and 1.3.x allow remote attackers to cause a denial of service(application crash) or possibly execute arbitrary code…
Article Source Mandriva Linux Security Advisories Multiple security vulnerabilities has been identified and fixed inapr and apr-util: Multiple integer overflows in the Apache Portable Runtime (APR)library and the Apache Portable Utility library (aka APR-util)0.9.x and 1.3.x allow remote attackers to cause a denial of service(application crash) or possibly execute arbitrary code…