Debian: DSA-2117-1: New apr-util packages fix denial of service

    Date04 Oct 2010
    CategoryDebian
    23
    Posted ByLinuxSecurity Advisories
    APR-util is part of the Apache Portable Runtime library which is used by projects such as Apache httpd and Subversion. Jeff Trawick discovered a flaw in the apr_brigade_split_line() function
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-2117-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Stefan Fritsch
    October 4, 2010                       http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : apr-util
    Vulnerability  : denial of service
    Problem type   : remote
    Debian-specific: no
    CVE Id(s)      : CVE-2010-1623
    
    APR-util is part of the Apache Portable Runtime library which is used
    by projects such as Apache httpd and Subversion.
    
    Jeff Trawick discovered a flaw in the apr_brigade_split_line() function
    in apr-util. A remote attacker could send crafted http requests to
    cause a greatly increased memory consumption in Apache httpd, resulting
    in a denial of service.
    
    This upgrade fixes this issue. After the upgrade, any running apache2
    server processes need to be restarted.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 1.2.12+dfsg-8+lenny5.
    
    For the testing distribution (squeeze) and the unstable distribution
    (sid), this problem has been fixed in version 1.3.9+dfsg-4.
    
    We recommend that you upgrade your apr-util packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 5.0 alias lenny (stable)
    - -----------------------------------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
        Size/MD5 checksum:   658687 4ef3e41037fe0cdd3a0d107335a008eb
      http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny5.dsc
        Size/MD5 checksum:     1531 3c280d9325eccb5b202f797dfe4b0fec
      http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny5.diff.gz
        Size/MD5 checksum:    23557 ccbe052945c3c7a7abb083a5780e63fa
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_alpha.deb
        Size/MD5 checksum:    90912 f01833decf4c09cb19900ad830537656
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_alpha.deb
        Size/MD5 checksum:   157332 c768e904368992a886bab995d06be691
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_alpha.deb
        Size/MD5 checksum:   147422 1f0111e3b3d573c860d72fb7d8f0e8b5
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_amd64.deb
        Size/MD5 checksum:   133214 02ecc9426d426a0b07fad57d8548a552
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_amd64.deb
        Size/MD5 checksum:    80190 bc013109f72a0550ab75a3cbcea4c8e3
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_amd64.deb
        Size/MD5 checksum:   148128 a9074ac6c50448c01a8b79a1b43fd71a
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_arm.deb
        Size/MD5 checksum:    71238 0f14138790b33ed5312d1bd9c64b1f00
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_arm.deb
        Size/MD5 checksum:   124300 360c36286adba8e4590d3d788edc861b
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_arm.deb
        Size/MD5 checksum:   139246 1221f6cb3918a1b4fea98aac628f1eaa
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_armel.deb
        Size/MD5 checksum:   125562 e438c52ef68ba41152adf433bc21d616
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_armel.deb
        Size/MD5 checksum:    70018 364da2335ced6c3219f8e6ce206b66e3
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_armel.deb
        Size/MD5 checksum:   139230 76e5e253b409ce658a5be6362344fff5
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_hppa.deb
        Size/MD5 checksum:    83802 c410f61265b32634094ad350d0d4aeb5
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_hppa.deb
        Size/MD5 checksum:   138764 b467ed9dc49f4379e6db88d45e4ef233
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_hppa.deb
        Size/MD5 checksum:   143056 952388a55397fad1995bc02367571482
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_i386.deb
        Size/MD5 checksum:   141614 edd53fa18ff076d2dff72b40a9651d14
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_i386.deb
        Size/MD5 checksum:    73984 2aa25fcf6479e34bdce90f1b989dfa4f
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_i386.deb
        Size/MD5 checksum:   121060 788336d970df93d381088228298e4f4d
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_ia64.deb
        Size/MD5 checksum:   110820 789ad31d3dc20ebc5e7a3d1d791087c5
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_ia64.deb
        Size/MD5 checksum:   136570 67db51e6841ba527c27cd8608f203760
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_ia64.deb
        Size/MD5 checksum:   169058 def2319fc7c98c667ff63fab83ba848a
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_mips.deb
        Size/MD5 checksum:   137656 65b830e995d0e1df9e5dd3ded8d70384
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_mips.deb
        Size/MD5 checksum:    74498 dbae966eba410854729e65f1b923616f
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_mips.deb
        Size/MD5 checksum:   147726 0a00e22703d26b6cb7d9c3b378f628ac
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_mipsel.deb
        Size/MD5 checksum:   144892 99888c01ccac0d9faa3a5550b15fba7a
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_mipsel.deb
        Size/MD5 checksum:    74218 8231602412144f158ab4d1250df32cfe
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_mipsel.deb
        Size/MD5 checksum:   136538 e0bb514608d43f8c8b2316f631e7e297
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_powerpc.deb
        Size/MD5 checksum:   147160 87609acb8e723f45311251cfa03faa8b
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_powerpc.deb
        Size/MD5 checksum:   132642 954d78228520f1a803835405fee1a9f5
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_powerpc.deb
        Size/MD5 checksum:    83158 1de0e929812f80a27c5b5ef505a74da3
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_s390.deb
        Size/MD5 checksum:    85652 125b09d4165e3cc8faa822ceba8746e7
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_s390.deb
        Size/MD5 checksum:   133244 c8ebef5c30d2b61def461d62b8ea7b23
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_s390.deb
        Size/MD5 checksum:   148902 0ac9f485e20eaf0eff64845c96c63c02
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_sparc.deb
        Size/MD5 checksum:   125152 d7b0e9e282c1f6532f2239a9eba4e207
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_sparc.deb
        Size/MD5 checksum:    72892 a0fd31dbfcd9cf8301b274d733315162
      http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_sparc.deb
        Size/MD5 checksum:   131960 95bb41d3245d5d0d6569d6fb045decba
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"14","type":"x","order":"1","pct":53.85,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":15.38,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":30.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.