- ------------------------------------------------------------------------
Debian Security Advisory DSA-2117-1                  security@debian.org
http://www.debian.org/security/                           Stefan Fritsch
October 4, 2010                       http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : apr-util
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2010-1623

APR-util is part of the Apache Portable Runtime library which is used
by projects such as Apache httpd and Subversion.

Jeff Trawick discovered a flaw in the apr_brigade_split_line() function
in apr-util. A remote attacker could send crafted http requests to
cause a greatly increased memory consumption in Apache httpd, resulting
in a denial of service.

This upgrade fixes this issue. After the upgrade, any running apache2
server processes need to be restarted.

For the stable distribution (lenny), this problem has been fixed in
version 1.2.12+dfsg-8+lenny5.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1.3.9+dfsg-4.

We recommend that you upgrade your apr-util packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

      Size/MD5 checksum:   658687 4ef3e41037fe0cdd3a0d107335a008eb
      Size/MD5 checksum:     1531 3c280d9325eccb5b202f797dfe4b0fec
      Size/MD5 checksum:    23557 ccbe052945c3c7a7abb083a5780e63fa

alpha architecture (DEC Alpha)

      Size/MD5 checksum:    90912 f01833decf4c09cb19900ad830537656
      Size/MD5 checksum:   157332 c768e904368992a886bab995d06be691
      Size/MD5 checksum:   147422 1f0111e3b3d573c860d72fb7d8f0e8b5

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   133214 02ecc9426d426a0b07fad57d8548a552
      Size/MD5 checksum:    80190 bc013109f72a0550ab75a3cbcea4c8e3
      Size/MD5 checksum:   148128 a9074ac6c50448c01a8b79a1b43fd71a

arm architecture (ARM)

      Size/MD5 checksum:    71238 0f14138790b33ed5312d1bd9c64b1f00
      Size/MD5 checksum:   124300 360c36286adba8e4590d3d788edc861b
      Size/MD5 checksum:   139246 1221f6cb3918a1b4fea98aac628f1eaa

armel architecture (ARM EABI)

      Size/MD5 checksum:   125562 e438c52ef68ba41152adf433bc21d616
      Size/MD5 checksum:    70018 364da2335ced6c3219f8e6ce206b66e3
      Size/MD5 checksum:   139230 76e5e253b409ce658a5be6362344fff5

hppa architecture (HP PA RISC)

      Size/MD5 checksum:    83802 c410f61265b32634094ad350d0d4aeb5
      Size/MD5 checksum:   138764 b467ed9dc49f4379e6db88d45e4ef233
      Size/MD5 checksum:   143056 952388a55397fad1995bc02367571482

i386 architecture (Intel ia32)

      Size/MD5 checksum:   141614 edd53fa18ff076d2dff72b40a9651d14
      Size/MD5 checksum:    73984 2aa25fcf6479e34bdce90f1b989dfa4f
      Size/MD5 checksum:   121060 788336d970df93d381088228298e4f4d

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   110820 789ad31d3dc20ebc5e7a3d1d791087c5
      Size/MD5 checksum:   136570 67db51e6841ba527c27cd8608f203760
      Size/MD5 checksum:   169058 def2319fc7c98c667ff63fab83ba848a

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   137656 65b830e995d0e1df9e5dd3ded8d70384
      Size/MD5 checksum:    74498 dbae966eba410854729e65f1b923616f
      Size/MD5 checksum:   147726 0a00e22703d26b6cb7d9c3b378f628ac

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   144892 99888c01ccac0d9faa3a5550b15fba7a
      Size/MD5 checksum:    74218 8231602412144f158ab4d1250df32cfe
      Size/MD5 checksum:   136538 e0bb514608d43f8c8b2316f631e7e297

powerpc architecture (PowerPC)

      Size/MD5 checksum:   147160 87609acb8e723f45311251cfa03faa8b
      Size/MD5 checksum:   132642 954d78228520f1a803835405fee1a9f5
      Size/MD5 checksum:    83158 1de0e929812f80a27c5b5ef505a74da3

s390 architecture (IBM S/390)

      Size/MD5 checksum:    85652 125b09d4165e3cc8faa822ceba8746e7
      Size/MD5 checksum:   133244 c8ebef5c30d2b61def461d62b8ea7b23
      Size/MD5 checksum:   148902 0ac9f485e20eaf0eff64845c96c63c02

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   125152 d7b0e9e282c1f6532f2239a9eba4e207
      Size/MD5 checksum:    72892 a0fd31dbfcd9cf8301b274d733315162
      Size/MD5 checksum:   131960 95bb41d3245d5d0d6569d6fb045decba


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Debian: DSA-2117-1: New apr-util packages fix denial of service

October 4, 2010
APR-util is part of the Apache Portable Runtime library which is used by projects such as Apache httpd and Subversion

Summary

Jeff Trawick discovered a flaw in the apr_brigade_split_line() function
in apr-util. A remote attacker could send crafted http requests to
cause a greatly increased memory consumption in Apache httpd, resulting
in a denial of service.

This upgrade fixes this issue. After the upgrade, any running apache2
server processes need to be restarted.

For the stable distribution (lenny), this problem has been fixed in
version 1.2.12+dfsg-8+lenny5.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1.3.9+dfsg-4.

We recommend that you upgrade your apr-util packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny (stable)

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

Size/MD5 checksum: 658687 4ef3e41037fe0cdd3a0d107335a008eb
Size/MD5 checksum: 1531 3c280d9325eccb5b202f797dfe4b0fec
Size/MD5 checksum: 23557 ccbe052945c3c7a7abb083a5780e63fa

alpha architecture (DEC Alpha)

Size/MD5 checksum: 90912 f01833decf4c09cb19900ad830537656
Size/MD5 checksum: 157332 c768e904368992a886bab995d06be691
Size/MD5 checksum: 147422 1f0111e3b3d573c860d72fb7d8f0e8b5

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 133214 02ecc9426d426a0b07fad57d8548a552
Size/MD5 checksum: 80190 bc013109f72a0550ab75a3cbcea4c8e3
Size/MD5 checksum: 148128 a9074ac6c50448c01a8b79a1b43fd71a

arm architecture (ARM)

Size/MD5 checksum: 71238 0f14138790b33ed5312d1bd9c64b1f00
Size/MD5 checksum: 124300 360c36286adba8e4590d3d788edc861b
Size/MD5 checksum: 139246 1221f6cb3918a1b4fea98aac628f1eaa

armel architecture (ARM EABI)

Size/MD5 checksum: 125562 e438c52ef68ba41152adf433bc21d616
Size/MD5 checksum: 70018 364da2335ced6c3219f8e6ce206b66e3
Size/MD5 checksum: 139230 76e5e253b409ce658a5be6362344fff5

hppa architecture (HP PA RISC)

Size/MD5 checksum: 83802 c410f61265b32634094ad350d0d4aeb5
Size/MD5 checksum: 138764 b467ed9dc49f4379e6db88d45e4ef233
Size/MD5 checksum: 143056 952388a55397fad1995bc02367571482

i386 architecture (Intel ia32)

Size/MD5 checksum: 141614 edd53fa18ff076d2dff72b40a9651d14
Size/MD5 checksum: 73984 2aa25fcf6479e34bdce90f1b989dfa4f
Size/MD5 checksum: 121060 788336d970df93d381088228298e4f4d

ia64 architecture (Intel ia64)

Size/MD5 checksum: 110820 789ad31d3dc20ebc5e7a3d1d791087c5
Size/MD5 checksum: 136570 67db51e6841ba527c27cd8608f203760
Size/MD5 checksum: 169058 def2319fc7c98c667ff63fab83ba848a

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 137656 65b830e995d0e1df9e5dd3ded8d70384
Size/MD5 checksum: 74498 dbae966eba410854729e65f1b923616f
Size/MD5 checksum: 147726 0a00e22703d26b6cb7d9c3b378f628ac

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 144892 99888c01ccac0d9faa3a5550b15fba7a
Size/MD5 checksum: 74218 8231602412144f158ab4d1250df32cfe
Size/MD5 checksum: 136538 e0bb514608d43f8c8b2316f631e7e297

powerpc architecture (PowerPC)

Size/MD5 checksum: 147160 87609acb8e723f45311251cfa03faa8b
Size/MD5 checksum: 132642 954d78228520f1a803835405fee1a9f5
Size/MD5 checksum: 83158 1de0e929812f80a27c5b5ef505a74da3

s390 architecture (IBM S/390)

Size/MD5 checksum: 85652 125b09d4165e3cc8faa822ceba8746e7
Size/MD5 checksum: 133244 c8ebef5c30d2b61def461d62b8ea7b23
Size/MD5 checksum: 148902 0ac9f485e20eaf0eff64845c96c63c02

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 125152 d7b0e9e282c1f6532f2239a9eba4e207
Size/MD5 checksum: 72892 a0fd31dbfcd9cf8301b274d733315162
Size/MD5 checksum: 131960 95bb41d3245d5d0d6569d6fb045decba


These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Severity
APR-util is part of the Apache Portable Runtime library which is used
by projects such as Apache httpd and Subversion.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up