-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:195-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apr Date : August 6, 2009 Affected: Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been identified and corrected in apr and apr-util: Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information (CVE-2009-2412). This update provides fixes for these vulnerabilities. Update: apr-util packages were missing for Mandriva Enterprise Server 5 i586, this has been adressed with this update. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 19ed152f311aaa740e498d204e611c87 mes5/i586/apr-util-dbd-freetds-1.3.4-2.3mdvmes5.i586.rpm 1da16e622bc2aa6fac28b0a9a7c36b39 mes5/i586/apr-util-dbd-ldap-1.3.4-2.3mdvmes5.i586.rpm e9e56ac0cbd4316b1687c3e5bf66d3d3 mes5/i586/apr-util-dbd-mysql-1.3.4-2.3mdvmes5.i586.rpm fbfaeb1772eb0b22de4b4562f5601c50 mes5/i586/apr-util-dbd-odbc-1.3.4-2.3mdvmes5.i586.rpm 6da57cdbe02238048ea6dc115a1ae744 mes5/i586/apr-util-dbd-pgsql-1.3.4-2.3mdvmes5.i586.rpm 34beee246bc1206229975aba75776aa2 mes5/i586/apr-util-dbd-sqlite3-1.3.4-2.3mdvmes5.i586.rpm 445b930503e3e8f15b220681e67c74b4 mes5/i586/libapr-util1-1.3.4-2.3mdvmes5.i586.rpm b53ec99a1242f3d0e31e4267090d4d69 mes5/i586/libapr-util-devel-1.3.4-2.3mdvmes5.i586.rpm ddd3ba83c0f4f0a73954d1ca8b6926c4 mes5/SRPMS/apr-util-1.3.4-2.3mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 02e1b437a1451b205d726a804ecba70a mes5/x86_64/apr-util-dbd-freetds-1.3.4-2.3mdvmes5.x86_64.rpm daa72432fd3545df890a2aa2ebeacc4e mes5/x86_64/apr-util-dbd-ldap-1.3.4-2.3mdvmes5.x86_64.rpm 5c6b4a74cf6df907a88d1474708ba96c mes5/x86_64/apr-util-dbd-mysql-1.3.4-2.3mdvmes5.x86_64.rpm 8cabe517448ab264870e9b786f58db88 mes5/x86_64/apr-util-dbd-odbc-1.3.4-2.3mdvmes5.x86_64.rpm 4f49787251d7fac85d39535c82389a6a mes5/x86_64/apr-util-dbd-pgsql-1.3.4-2.3mdvmes5.x86_64.rpm 43c974a3636fd725d100332fd0b4f204 mes5/x86_64/apr-util-dbd-sqlite3-1.3.4-2.3mdvmes5.x86_64.rpm 9f0a37e6b63384f216033c6f35975c09 mes5/x86_64/lib64apr-util1-1.3.4-2.3mdvmes5.x86_64.rpm 99d7a7418d4250764773f6cbcc0ebd6c mes5/x86_64/lib64apr-util-devel-1.3.4-2.3mdvmes5.x86_64.rpm ddd3ba83c0f4f0a73954d1ca8b6926c4 mes5/SRPMS/apr-util-1.3.4-2.3mdvmes5.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKewWNmqjQ0CJFipgRAl3dAKCBpW6Ccamts0gKMNkDopc+x+QCZACfZ+Ep WrkXUeLyvhHymK2bJ8xLrXU= =4/ly -----END PGP SIGNATURE-----
