Bugzilla – Bug 529591
VUL-0: CVE-2009-2412: libapr-util1 / libapr1: apr did not properly sanitize its input when allocating memory
Last modified: 2015-09-25 13:15:29 UTC
Hi. There is a security bug in 'libapr-util1'. This bug is public. There is no coordinated release date (CRD) set. CVE number: CVE-2009-2412 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 Original posting: ---------- Weitergeleitete Nachricht ---------- Betreff: [Full-disclosure] [USN-813-3] apr-util vulnerability Datum: Samstag 08 August 2009 Von: Jamie Strandboge <jamie@canonical.com> An: ubuntu-security-announce@lists.ubuntu.com =========================================================== Ubuntu Security Notice USN-813-3 August 08, 2009 apr-util vulnerability CVE-2009-2412 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libaprutil1 1.2.12+dfsg-3ubuntu0.2 Ubuntu 8.10: libaprutil1 1.2.12+dfsg-7ubuntu0.3 Ubuntu 9.04: libaprutil1 1.2.12+dfsg-8ubuntu0.3 After a standard system upgrade you need to restart any applications using apr-util, such as Subversion and Apache, to effect the necessary changes. Details follow: USN-813-1 fixed vulnerabilities in apr. This update provides the corresponding updates for apr-util. Original advisory details: Matt Lewis discovered that apr did not properly sanitize its input when allocating memory. If an application using apr processed crafted input, a remote attacker could cause a denial of service or potentially execute arbitrary code as the user invoking the application. Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr- util_1.2.12+dfsg-3ubuntu0.2.diff.gz Size/MD5: 25223 c491683a8eafa49c7405a3f300e65121 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr- util_1.2.12+dfsg-3ubuntu0.2.dsc Size/MD5: 1324 88ae14ce33166e372cdd6f8bcf613f92 http://security.ubuntu.com/ubuntu/pool/main/a/apr-util/apr- util_1.2.12+dfsg.orig.tar.gz Size/MD5: 658687 4ef3e41037fe0cdd3a0d107335a008eb ..
The SWAMPID for this issue is 26467. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/26467)
Any news here? Which dists do I need to submit PIs for?
http://www.apache.org/dist/apr/patches/ has the needed patches. Note that this is both about apr and apr-util. Both need to be patched.
i just did the fixed packages + patchinfos.
CVE-2009-2412: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Update released for: libapr-util1, libapr-util1-dbd-mysql, libapr-util1-dbd-pgsql, libapr-util1-dbd-sqlite2, libapr-util1-dbd-sqlite3, libapr-util1-debuginfo, libapr-util1-debugsource, libapr-util1-devel, libapr1, libapr1-debuginfo, libapr1-debugsource, libapr1-devel Products: openSUSE 10.3 (i386, ppc, ppc64, x86_64) openSUSE 11.0 (debug, i386, ppc, ppc64, x86_64) openSUSE 11.1 (debug, i586, ppc, x86_64)
released, finally.
Update released for: libapr-util1, libapr1 Products: SLE-DESKTOP 10-SP3 (i386, x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Update released for: libapr-util1, libapr-util1-32bit, libapr-util1-dbd-mysql, libapr-util1-dbd-pgsql, libapr-util1-dbd-sqlite3, libapr-util1-debuginfo, libapr-util1-debuginfo-32bit, libapr-util1-debugsource, libapr-util1-devel, libapr-util1-devel-32bit, libapr1, libapr1-32bit, libapr1-debuginfo, libapr1-debuginfo-32bit, libapr1-debugsource, libapr1-devel, libapr1-devel-32bit Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Update released for: libapr-util1, libapr-util1-devel, libapr1, libapr1-devel Products: SLE-DESKTOP 10-SP2 (i386, x86_64) SLE-SDK 10-SP2 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)
Starting L3 here
Sles10sp2 contains also the following fixes: - bug 510301 - bug 509825 I will include them as well.
Sles10sp1 PTF will appear at: x86_64: https://you.novell.com/update/x86_64/update/SUSE-SLES/10/PTF/9b7be0bff5fe1bc50a563ce50edaba41/20100205-1 i386: https://you.novell.com/update/i386/update/SUSE-SLES/10/PTF/9b7be0bff5fe1bc50a563ce50edaba41/20100205-6
and m,ark as resolved/fixed again
The patch applies also to sles9sp4 (apache2 source package). I will provide a PTF but we should push this to maintenance as well, I guess. Same applies to bug 509825.
The PTF will appear at: https://you.novell.com/update/i386/update/SUSE-SLES/9/PTF/9b7be0bff5fe1bc50a563ce50edaba41/20100322 https://you.novell.com/update/x86_64/update/SUSE-SLES/9/PTF/9b7be0bff5fe1bc50a563ce50edaba41/20100322
to apache maintainer for sles9 cross checking.
Thanks! All seems fine. reass to security-team for closing.
closing
looks like there was some misunderstanding, reassigning to roman again.
sles9 packages submitted; CVE-2009-2412, CVE-2009-1955.
The SWAMPID for this issue is 32976. This issue was rated as moderate. Please submit the packages and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/32976)
released
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0 Products: Novell-Linux-POS 9 (i386) Open-Enterprise-Server 9 (i386) SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)