==========================================================Ubuntu Security Notice USN-786-1              June 10, 2009
apr-util vulnerabilities
CVE-2009-0023, CVE-2009-1955, CVE-2009-1956
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  libaprutil1                     1.2.12+dfsg-3ubuntu0.1

Ubuntu 8.10:
  libaprutil1                     1.2.12+dfsg-7ubuntu0.1

Ubuntu 9.04:
  libaprutil1                     1.2.12+dfsg-8ubuntu0.1

After a standard system upgrade you need to restart any services that use
apr-util, such as Apache or svnserve, to effect the necessary changes.

Details follow:

Matthew Palmer discovered an underflow flaw in apr-util. An attacker could
cause a denial of service via application crash in Apache using a crafted
SVNMasterURI directive, .htaccess file, or when using mod_apreq2.
Applications using libapreq2 are also affected. (CVE-2009-0023)

It was discovered that the XML parser did not properly handle entity
expansion. A remote attacker could cause a denial of service via memory
resource consumption by sending a crafted request to an Apache server
configured to use mod_dav or mod_dav_svn. (CVE-2009-1955)

C. Michael Pilato discovered an off-by-one buffer overflow in apr-util when
formatting certain strings. For big-endian machines (powerpc, hppa and
sparc in Ubuntu), a remote attacker could cause a denial of service or
information disclosure leak. All other architectures for Ubuntu are
not considered to be at risk. (CVE-2009-1956)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

          Size/MD5:    24574 b2420f470b89f1615f057ab0d7a8fb1b
          Size/MD5:     1324 3d8d31431281ace5a474c086b81ca68d
          Size/MD5:   658687 4ef3e41037fe0cdd3a0d107335a008eb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   133066 7b3c573fcd12d1d298a72836e30c7871
          Size/MD5:   129888 997d790d176112338827b7ec69b2b875
          Size/MD5:    75868 fb5b2593ec7f988da308d5bc49262792

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   126324 c5e0c3e481955d77d6dcb6b6e0062faf
          Size/MD5:   119408 3e6ac00f8f52fe380dce9f229d44e1e4
          Size/MD5:    70352 ce4883670593cd7101bb512b75f511ab

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   128056 da36f9545e11be1121f988e6ed9b927b
          Size/MD5:   119064 249b96b4bd8bfac97a613cd9bde37e7f
          Size/MD5:    69540 3df182c1e62ba76c7d530da9de4e91f8

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   133836 0f893ec4252c3dd37be0a1fa1dc34bde
          Size/MD5:   130282 0d4c0efa6ec794122aff6b7ee2f2814e
          Size/MD5:    80120 da8d5adb86e4a0cbf17dd9beec0eb702

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   120154 80d4bd5baf2481590d2027564cbe01b6
          Size/MD5:   124164 30a88899ff268cd92b320fcad4537cc5
          Size/MD5:    71116 abe3f0348d5243b121b1d5ec057afc59

Updated packages for Ubuntu 8.10:

  Source archives:

          Size/MD5:    25591 0b7395302ddb00bea5a5e08e5c853b9b
          Size/MD5:     1632 f7ec40dbe488612dfaa923d4fdcce0cc
          Size/MD5:   658687 4ef3e41037fe0cdd3a0d107335a008eb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   150754 c62d95de736540118e79d55a19cbfe88
          Size/MD5:   136314 ba94c537013ce62bf156f611daf871be
          Size/MD5:    82382 d048ffe3b1c1957ceaa0e078465bec83

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   144020 590a52c97853ed46cbb0ba59cf17675c
          Size/MD5:   124820 c8be5124f0e16940e3e23f24af228af8
          Size/MD5:    75830 d45ad82f9d0f20fb55b0f7d35128661a

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   145348 c88756b31e3bf6b36912088c35e3a713
          Size/MD5:   124594 d5dfdcd3f7aa11f939714028e94dc6ed
          Size/MD5:    75150 ce8f9914f29d4742ec3a4f99b3c59393

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   150190 bd1adf49cd11f9f18ce6b9ec093aca93
          Size/MD5:   135892 9e3ed838d846fac285427123af1930f3
          Size/MD5:    84846 135994ac372c8c6614d418351ddc9fd5

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   135354 3aad2512d439e310004e9e47b14319cd
          Size/MD5:   128358 0ce0c3418e47b4dfd55be998ba082d88
          Size/MD5:    75364 0b0634bcc540b68444fdf1f2ecfde92b

Updated packages for Ubuntu 9.04:

  Source archives:

          Size/MD5:    22846 206a190e418ef32ac80cb21976c0c535
          Size/MD5:     1630 42152b61158055a6b248bafa3d3ccb65
          Size/MD5:   658687 4ef3e41037fe0cdd3a0d107335a008eb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   147306 918e2ade399f448b01883ea45fccbc52
          Size/MD5:   132960 5ea0a03316d69002c76510b9ebba4bef
          Size/MD5:    78924 2e42e78880ad1b0fd689b6b304a8be28

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   140514 2bc7d4bc488b864fce998161118e952a
          Size/MD5:   121226 7299c4f38d94e46cbb1014fe2b7650fc
          Size/MD5:    72416 1102da0f14f8c08d5279861ba69f4b18

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   141702 4e7eb2cad127657ea22ff81d03aac32e
          Size/MD5:   120970 4999f99cdce03e3f9693bb678edc65b6
          Size/MD5:    71822 9abb9a40c00e626718ee86a981608c5a

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   146566 1f745e1d18b2c10c0318629ac6ee6d67
          Size/MD5:   132458 c5c91538a415db18d285076e6e8fc7ff
          Size/MD5:    81408 75bfc684ae3a41319b94b5f3ed808914

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   131386 50dfb432a206f070517394d1b1403bab
          Size/MD5:   124770 aea3ccb26d29a0cd3cc59b52a96c01db
          Size/MD5:    71726 c1a1dacde51cd734af53a48f2214f2ca

Ubuntu 786-1: apr-util vulnerabilities

June 10, 2009
Matthew Palmer discovered an underflow flaw in apr-util

Summary

Update Instructions

References

Severity
apr-util vulnerabilities

Package Information

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved