(RHSA-2009:1204) Moderate: apr and apr-util security update

2009-08-1000:00:00

access.redhat.com

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.08 Low

EPSS

Percentile

93.6%

JSON

The Apache Portable Runtime (APR) is a portability library used by the
Apache HTTP Server and other projects. It aims to provide a free library
of C data structures and routines. apr-util is a utility library used with
APR. This library provides additional utility interfaces for APR; including
support for XML parsing, LDAP, database interfaces, URI parsing, and more.

Multiple integer overflow flaws, leading to heap-based buffer overflows,
were found in the way the Apache Portable Runtime (APR) manages memory pool
and relocatable memory allocations. An attacker could use these flaws to
issue a specially-crafted request for memory allocation, which would lead
to a denial of service (application crash) or, potentially, execute
arbitrary code with the privileges of an application using the APR
libraries. (CVE-2009-2412)

All apr and apr-util users should upgrade to these updated packages, which
contain backported patches to correct these issues. Applications using the
APR libraries, such as httpd, must be restarted for this update to take
effect.

OSVersionArchitecturePackageVersionFilename
RedHat5s390xapr-util-devel< 1.2.7-7.el5_3.2apr-util-devel-1.2.7-7.el5_3.2.s390x.rpm
RedHat4ia64apr-util< 0.9.4-22.el4_8.2apr-util-0.9.4-22.el4_8.2.ia64.rpm
RedHat5x86_64apr-devel< 1.2.7-11.el5_3.1apr-devel-1.2.7-11.el5_3.1.x86_64.rpm
RedHat4i386apr-devel< 0.9.4-24.9.el4_8.2apr-devel-0.9.4-24.9.el4_8.2.i386.rpm
RedHat4s390apr-util-devel< 0.9.4-22.el4_8.2apr-util-devel-0.9.4-22.el4_8.2.s390.rpm
RedHat5s390xapr-devel< 1.2.7-11.el5_3.1apr-devel-1.2.7-11.el5_3.1.s390x.rpm
RedHat5ppcapr-util-docs< 1.2.7-7.el5_3.2apr-util-docs-1.2.7-7.el5_3.2.ppc.rpm
RedHat5x86_64apr< 1.2.7-11.el5_3.1apr-1.2.7-11.el5_3.1.x86_64.rpm
RedHat4i386apr< 0.9.4-24.9.el4_8.2apr-0.9.4-24.9.el4_8.2.i386.rpm
RedHat4ia64apr-util-devel< 0.9.4-22.el4_8.2apr-util-devel-0.9.4-22.el4_8.2.ia64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	5	s390x	apr-util-devel	< 1.2.7-7.el5_3.2	apr-util-devel-1.2.7-7.el5_3.2.s390x.rpm
RedHat	4	ia64	apr-util	< 0.9.4-22.el4_8.2	apr-util-0.9.4-22.el4_8.2.ia64.rpm
RedHat	5	x86_64	apr-devel	< 1.2.7-11.el5_3.1	apr-devel-1.2.7-11.el5_3.1.x86_64.rpm
RedHat	4	i386	apr-devel	< 0.9.4-24.9.el4_8.2	apr-devel-0.9.4-24.9.el4_8.2.i386.rpm
RedHat	4	s390	apr-util-devel	< 0.9.4-22.el4_8.2	apr-util-devel-0.9.4-22.el4_8.2.s390.rpm
RedHat	5	s390x	apr-devel	< 1.2.7-11.el5_3.1	apr-devel-1.2.7-11.el5_3.1.s390x.rpm
RedHat	5	ppc	apr-util-docs	< 1.2.7-7.el5_3.2	apr-util-docs-1.2.7-7.el5_3.2.ppc.rpm
RedHat	5	x86_64	apr	< 1.2.7-11.el5_3.1	apr-1.2.7-11.el5_3.1.x86_64.rpm
RedHat	4	i386	apr	< 0.9.4-24.9.el4_8.2	apr-0.9.4-24.9.el4_8.2.i386.rpm
RedHat	4	ia64	apr-util-devel	< 0.9.4-22.el4_8.2	apr-util-devel-0.9.4-22.el4_8.2.ia64.rpm