Some vulnerabilities have been reported in APR-util, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).
------------------------------------------------------------------------
Pardus Linux Security Advisory 2009-89 security@pardus.org.tr
------------------------------------------------------------------------
Date: 2009-06-13
Severity: 2
Type: Remote
------------------------------------------------------------------------
Summary
=======
Some vulnerabilities have been reported in APR-util, which can be
exploited by malicious users and malicious people to cause a DoS (Denial
of Service).
Description
===========
1) A vulnerability is caused due to an error in the processing of XML
files and can be exploited to exhaust all available memory via a
specially crafted XML file containing a predefined entity inside an
entity definition.
2) A vulnerability is caused due to an error within the
"apr_strmatch_precompile()" function in strmatch/apr_strmatch.c, which
can be exploited to crash an application using the library.
3) Off-by-one error in the apr_brigade_vprintf function on big-endian
platforms allows remote attackers to obtain sensitive information or
cause a denial of service (application crash) via crafted input.
Affected packages:
Pardus 2008:
apr-util, all before 1.2.12-7-3
Resolution
==========
There are update(s) for apr-util. You can update them via Package
Manager or with a single command from console:
pisi up apr-util
References
==========
*
http://bugs.pardus.org.tr/show_bug.cgi?id=9980 *
http://bugs.pardus.org.tr/show_bug.cgi?id=9981 *
http://bugs.pardus.org.tr/show_bug.cgi?id=9982 * http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
*
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0023 *
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1955 *
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1956 *
http://secunia.com/advisories/35284 
Reply
