- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200907-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: APR Utility Library: Multiple vulnerabilities Date: July 04, 2009 Bugs: #268643, #272260, #274193 ID: 200907-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in the Apache Portable Runtime Utility Library might enable remote attackers to cause a Denial of Service or disclose sensitive information. Background ========== The Apache Portable Runtime Utility Library (aka apr-util) provides an interface to functionality such as XML parsing, string matching and databases connections. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/apr-util < 1.3.7 >= 1.3.7 Description =========== Multiple vulnerabilities have been discovered in the APR Utility Library: * Matthew Palmer reported a heap-based buffer underflow while compiling search patterns in the apr_strmatch_precompile() function in strmatch/apr_strmatch.c (CVE-2009-0023). * kcope reported that the expat XML parser in xml/apr_xml.c does not limit the amount of XML entities expanded recursively (CVE-2009-1955). * C. Michael Pilato reported an off-by-one error in the apr_brigade_vprintf() function in buckets/apr_brigade.c (CVE-2009-1956). Impact ====== A remote attacker could exploit these vulnerabilities to cause a Denial of Service (crash or memory exhaustion) via an Apache HTTP server running mod_dav or mod_dav_svn, or using several configuration files. Additionally, a remote attacker could disclose sensitive information or cause a Denial of Service by sending a specially crafted input. NOTE: Only big-endian architectures such as PPC and HPPA are affected by the latter flaw. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache Portable Runtime Utility Library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.7" References ========== [ 1 ] CVE-2009-0023 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023 [ 2 ] CVE-2009-1955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 [ 3 ] CVE-2009-1956 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200907-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: This is a digitally signed message part