Ubuntu 786-1: apr-util vulnerabilities

    Date10 Jun 2009
    CategoryUbuntu
    57
    Posted ByLinuxSecurity Advisories
    Matthew Palmer discovered an underflow flaw in apr-util. An attacker couldcause a denial of service via application crash in Apache using a craftedSVNMasterURI directive, .htaccess file, or when using mod_apreq2.Applications using libapreq2 are also affected. (CVE-2009-0023) [More...]
    ===========================================================
    Ubuntu Security Notice USN-786-1              June 10, 2009
    apr-util vulnerabilities
    CVE-2009-0023, CVE-2009-1955, CVE-2009-1956
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 8.04 LTS
    Ubuntu 8.10
    Ubuntu 9.04
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 8.04 LTS:
      libaprutil1                     1.2.12+dfsg-3ubuntu0.1
    
    Ubuntu 8.10:
      libaprutil1                     1.2.12+dfsg-7ubuntu0.1
    
    Ubuntu 9.04:
      libaprutil1                     1.2.12+dfsg-8ubuntu0.1
    
    After a standard system upgrade you need to restart any services that use
    apr-util, such as Apache or svnserve, to effect the necessary changes.
    
    Details follow:
    
    Matthew Palmer discovered an underflow flaw in apr-util. An attacker could
    cause a denial of service via application crash in Apache using a crafted
    SVNMasterURI directive, .htaccess file, or when using mod_apreq2.
    Applications using libapreq2 are also affected. (CVE-2009-0023)
    
    It was discovered that the XML parser did not properly handle entity
    expansion. A remote attacker could cause a denial of service via memory
    resource consumption by sending a crafted request to an Apache server
    configured to use mod_dav or mod_dav_svn. (CVE-2009-1955)
    
    C. Michael Pilato discovered an off-by-one buffer overflow in apr-util when
    formatting certain strings. For big-endian machines (powerpc, hppa and
    sparc in Ubuntu), a remote attacker could cause a denial of service or
    information disclosure leak. All other architectures for Ubuntu are
    not considered to be at risk. (CVE-2009-1956)
    
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-3ubuntu0.1.diff.gz
          Size/MD5:    24574 b2420f470b89f1615f057ab0d7a8fb1b
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-3ubuntu0.1.dsc
          Size/MD5:     1324 3d8d31431281ace5a474c086b81ca68d
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
          Size/MD5:   658687 4ef3e41037fe0cdd3a0d107335a008eb
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_amd64.deb
          Size/MD5:   133066 7b3c573fcd12d1d298a72836e30c7871
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_amd64.deb
          Size/MD5:   129888 997d790d176112338827b7ec69b2b875
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_amd64.deb
          Size/MD5:    75868 fb5b2593ec7f988da308d5bc49262792
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_i386.deb
          Size/MD5:   126324 c5e0c3e481955d77d6dcb6b6e0062faf
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_i386.deb
          Size/MD5:   119408 3e6ac00f8f52fe380dce9f229d44e1e4
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_i386.deb
          Size/MD5:    70352 ce4883670593cd7101bb512b75f511ab
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_lpia.deb
          Size/MD5:   128056 da36f9545e11be1121f988e6ed9b927b
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_lpia.deb
          Size/MD5:   119064 249b96b4bd8bfac97a613cd9bde37e7f
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_lpia.deb
          Size/MD5:    69540 3df182c1e62ba76c7d530da9de4e91f8
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_powerpc.deb
          Size/MD5:   133836 0f893ec4252c3dd37be0a1fa1dc34bde
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_powerpc.deb
          Size/MD5:   130282 0d4c0efa6ec794122aff6b7ee2f2814e
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_powerpc.deb
          Size/MD5:    80120 da8d5adb86e4a0cbf17dd9beec0eb702
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-3ubuntu0.1_sparc.deb
          Size/MD5:   120154 80d4bd5baf2481590d2027564cbe01b6
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-3ubuntu0.1_sparc.deb
          Size/MD5:   124164 30a88899ff268cd92b320fcad4537cc5
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-3ubuntu0.1_sparc.deb
          Size/MD5:    71116 abe3f0348d5243b121b1d5ec057afc59
    
    Updated packages for Ubuntu 8.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-7ubuntu0.1.diff.gz
          Size/MD5:    25591 0b7395302ddb00bea5a5e08e5c853b9b
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-7ubuntu0.1.dsc
          Size/MD5:     1632 f7ec40dbe488612dfaa923d4fdcce0cc
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
          Size/MD5:   658687 4ef3e41037fe0cdd3a0d107335a008eb
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_amd64.deb
          Size/MD5:   150754 c62d95de736540118e79d55a19cbfe88
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_amd64.deb
          Size/MD5:   136314 ba94c537013ce62bf156f611daf871be
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_amd64.deb
          Size/MD5:    82382 d048ffe3b1c1957ceaa0e078465bec83
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_i386.deb
          Size/MD5:   144020 590a52c97853ed46cbb0ba59cf17675c
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_i386.deb
          Size/MD5:   124820 c8be5124f0e16940e3e23f24af228af8
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_i386.deb
          Size/MD5:    75830 d45ad82f9d0f20fb55b0f7d35128661a
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_lpia.deb
          Size/MD5:   145348 c88756b31e3bf6b36912088c35e3a713
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_lpia.deb
          Size/MD5:   124594 d5dfdcd3f7aa11f939714028e94dc6ed
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_lpia.deb
          Size/MD5:    75150 ce8f9914f29d4742ec3a4f99b3c59393
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_powerpc.deb
          Size/MD5:   150190 bd1adf49cd11f9f18ce6b9ec093aca93
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_powerpc.deb
          Size/MD5:   135892 9e3ed838d846fac285427123af1930f3
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_powerpc.deb
          Size/MD5:    84846 135994ac372c8c6614d418351ddc9fd5
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-7ubuntu0.1_sparc.deb
          Size/MD5:   135354 3aad2512d439e310004e9e47b14319cd
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-7ubuntu0.1_sparc.deb
          Size/MD5:   128358 0ce0c3418e47b4dfd55be998ba082d88
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-7ubuntu0.1_sparc.deb
          Size/MD5:    75364 0b0634bcc540b68444fdf1f2ecfde92b
    
    Updated packages for Ubuntu 9.04:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-8ubuntu0.1.diff.gz
          Size/MD5:    22846 206a190e418ef32ac80cb21976c0c535
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg-8ubuntu0.1.dsc
          Size/MD5:     1630 42152b61158055a6b248bafa3d3ccb65
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
          Size/MD5:   658687 4ef3e41037fe0cdd3a0d107335a008eb
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_amd64.deb
          Size/MD5:   147306 918e2ade399f448b01883ea45fccbc52
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_amd64.deb
          Size/MD5:   132960 5ea0a03316d69002c76510b9ebba4bef
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_amd64.deb
          Size/MD5:    78924 2e42e78880ad1b0fd689b6b304a8be28
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_i386.deb
          Size/MD5:   140514 2bc7d4bc488b864fce998161118e952a
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_i386.deb
          Size/MD5:   121226 7299c4f38d94e46cbb1014fe2b7650fc
        http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_i386.deb
          Size/MD5:    72416 1102da0f14f8c08d5279861ba69f4b18
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_lpia.deb
          Size/MD5:   141702 4e7eb2cad127657ea22ff81d03aac32e
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_lpia.deb
          Size/MD5:   120970 4999f99cdce03e3f9693bb678edc65b6
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_lpia.deb
          Size/MD5:    71822 9abb9a40c00e626718ee86a981608c5a
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_powerpc.deb
          Size/MD5:   146566 1f745e1d18b2c10c0318629ac6ee6d67
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_powerpc.deb
          Size/MD5:   132458 c5c91538a415db18d285076e6e8fc7ff
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_powerpc.deb
          Size/MD5:    81408 75bfc684ae3a41319b94b5f3ed808914
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8ubuntu0.1_sparc.deb
          Size/MD5:   131386 50dfb432a206f070517394d1b1403bab
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8ubuntu0.1_sparc.deb
          Size/MD5:   124770 aea3ccb26d29a0cd3cc59b52a96c01db
        http://ports.ubuntu.com/pool/main/a/apr-util/libaprutil1_1.2.12+dfsg-8ubuntu0.1_sparc.deb
          Size/MD5:    71726 c1a1dacde51cd734af53a48f2214f2ca
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"38","type":"x","order":"1","pct":52.05,"resources":[]},{"id":"88","title":"Should be more technical","votes":"10","type":"x","order":"2","pct":13.7,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"25","type":"x","order":"3","pct":34.25,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.