[SECURITY] [DSA 2237-1] apr security update

2011-05-1509:25:17

lists.debian.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.969 High

EPSS

Percentile

99.7%

JSON

Debian Security Advisory DSA-2237-1 [email protected]
http://www.debian.org/security/ Stefan Fritsch
May 15, 2011 http://www.debian.org/security/faq

Package : apr
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-0419

A flaw was found in the APR library, which could be exploited through
Apache HTTPD's mod_autoindex. If a directory indexed by mod_autoindex
contained files with sufficiently long names, a remote attacker could
send a carefully crafted request which would cause excessive CPU
usage. This could be used in a denial of service attack.

For the oldstable distribution (lenny), this problem has been fixed in
version 1.2.12-5+lenny3.

For the stable distribution (squeeze), this problem has been fixed in
version 1.4.2-6+squeeze1.

For the testing distribution (wheezy), this problem will be fixed in
version 1.4.4-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.4-1.

We recommend that you upgrade your apr packages and restart the
apache2 server.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian5armlibapr1-dev< 1.2.12-5+lenny4libapr1-dev_1.2.12-5+lenny4_arm.deb
Debian5sparclibapr1< 1.2.12-5+lenny4libapr1_1.2.12-5+lenny4_sparc.deb
Debian6kfreebsd-i386libapr1< 1.4.2-6+squeeze2libapr1_1.4.2-6+squeeze2_kfreebsd-i386.deb
Debian6sparclibapr1< 1.4.2-6+squeeze2libapr1_1.4.2-6+squeeze2_sparc.deb
Debian5mipsellibapr1-dev< 1.2.12-5+lenny4libapr1-dev_1.2.12-5+lenny4_mipsel.deb
Debian5mipslibapr1-dbg< 1.2.12-5+lenny4libapr1-dbg_1.2.12-5+lenny4_mips.deb
Debian5amd64libapr1-dev< 1.2.12-5+lenny4libapr1-dev_1.2.12-5+lenny4_amd64.deb
Debian6s390libapr1-dev< 1.4.2-6+squeeze2libapr1-dev_1.4.2-6+squeeze2_s390.deb
Debian6sparclibapr1-dev< 1.4.2-6+squeeze2libapr1-dev_1.4.2-6+squeeze2_sparc.deb
Debian6allapr< 1.4.2-6+squeeze2apr_1.4.2-6+squeeze2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	5	arm	libapr1-dev	< 1.2.12-5+lenny4	libapr1-dev_1.2.12-5+lenny4_arm.deb
Debian	5	sparc	libapr1	< 1.2.12-5+lenny4	libapr1_1.2.12-5+lenny4_sparc.deb
Debian	6	kfreebsd-i386	libapr1	< 1.4.2-6+squeeze2	libapr1_1.4.2-6+squeeze2_kfreebsd-i386.deb
Debian	6	sparc	libapr1	< 1.4.2-6+squeeze2	libapr1_1.4.2-6+squeeze2_sparc.deb
Debian	5	mipsel	libapr1-dev	< 1.2.12-5+lenny4	libapr1-dev_1.2.12-5+lenny4_mipsel.deb
Debian	5	mips	libapr1-dbg	< 1.2.12-5+lenny4	libapr1-dbg_1.2.12-5+lenny4_mips.deb
Debian	5	amd64	libapr1-dev	< 1.2.12-5+lenny4	libapr1-dev_1.2.12-5+lenny4_amd64.deb
Debian	6	s390	libapr1-dev	< 1.4.2-6+squeeze2	libapr1-dev_1.4.2-6+squeeze2_s390.deb
Debian	6	sparc	libapr1-dev	< 1.4.2-6+squeeze2	libapr1-dev_1.4.2-6+squeeze2_sparc.deb
Debian	6	all	apr	< 1.4.2-6+squeeze2	apr_1.4.2-6+squeeze2_all.deb