- Vulnerability/
- RHSA-2009:1107
RHSA-2009:1107: Moderate: apr-util security update
First published: Tue Jun 16 2009(Updated: )
apr-util is a utility library used with the Apache Portable Runtime (APR).<br>It aims to provide a free library of C data structures and routines. This<br>library contains additional utility interfaces for APR; including support<br>for XML, LDAP, database interfaces, URI parsing, and more.<br>An off-by-one overflow flaw was found in the way apr-util processed a<br>variable list of arguments. An attacker could provide a specially-crafted<br>string as input for the formatted output conversion routine, which could,<br>on big-endian platforms, potentially lead to the disclosure of sensitive<br>information or a denial of service (application crash). (CVE-2009-1956)<br>Note: The CVE-2009-1956 flaw only affects big-endian platforms, such as the<br>IBM S/390 and PowerPC. It does not affect users using the apr-util package<br>on little-endian platforms, due to their different organization of byte<br>ordering used to represent particular data.<br>A denial of service flaw was found in the apr-util Extensible Markup<br>Language (XML) parser. A remote attacker could create a specially-crafted<br>XML document that would cause excessive memory consumption when processed<br>by the XML decoding engine. (CVE-2009-1955)<br>A heap-based underwrite flaw was found in the way apr-util created compiled<br>forms of particular search patterns. An attacker could formulate a<br>specially-crafted search keyword, that would overwrite arbitrary heap<br>memory locations when processed by the pattern preparation engine.<br>(CVE-2009-0023)<br>All apr-util users should upgrade to these updated packages, which contain<br>backported patches to correct these issues. Applications using the Apache<br>Portable Runtime library, such as httpd, must be restarted for this update<br>to take effect.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/apr-util | <1.2.7-7.el5_3.1 | 1.2.7-7.el5_3.1 |
| redhat/apr-util | <1.2.7-7.el5_3.1 | 1.2.7-7.el5_3.1 |
| redhat/apr-util-devel | <1.2.7-7.el5_3.1 | 1.2.7-7.el5_3.1 |
| redhat/apr-util-devel | <1.2.7-7.el5_3.1 | 1.2.7-7.el5_3.1 |
| redhat/apr-util-docs | <1.2.7-7.el5_3.1 | 1.2.7-7.el5_3.1 |
| redhat/apr-util-docs | <1.2.7-7.el5_3.1 | 1.2.7-7.el5_3.1 |
| redhat/apr-util | <0.9.4-22.el4_8.1 | 0.9.4-22.el4_8.1 |
| redhat/apr-util | <0.9.4-22.el4_8.1 | 0.9.4-22.el4_8.1 |
| redhat/apr-util-devel | <0.9.4-22.el4_8.1 | 0.9.4-22.el4_8.1 |
| redhat/apr-util-devel | <0.9.4-22.el4_8.1 | 0.9.4-22.el4_8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of RHSA-2009:1107?
The severity of RHSA-2009:1107 is classified as important.
How do I fix RHSA-2009:1107?
To fix RHSA-2009:1107, update the affected packages to the specified remedy versions: apr-util 1.2.7-7.el5_3.1 or apr-util 0.9.4-22.el4_8.1.
Which packages are affected by RHSA-2009:1107?
The affected packages include apr-util, apr-util-devel, and apr-util-docs of specific versions for el5_3 and el4_8.
What are common consequences of RHSA-2009:1107 vulnerability?
Exploitation of RHSA-2009:1107 could lead to denial of service or potential arbitrary code execution.
Is there a workaround for RHSA-2009:1107?
There is no specific workaround for RHSA-2009:1107 other than applying the available updates to affected packages.
- agent/description
- agent/severity
- agent/title
- collector/redhat-errata
- anchor-id/RHSA-2009:1107
- package-manager/redhat