Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA-2117-1] New apr-util packages fix denial of service
From: Stefan Fritsch <sf () debian org>
Date: Mon, 04 Oct 2010 21:35:18 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2117-1                  security () debian org
http://www.debian.org/security/                           Stefan Fritsch
October 4, 2010                       http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : apr-util
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2010-1623

APR-util is part of the Apache Portable Runtime library which is used
by projects such as Apache httpd and Subversion.

Jeff Trawick discovered a flaw in the apr_brigade_split_line() function
in apr-util. A remote attacker could send crafted http requests to
cause a greatly increased memory consumption in Apache httpd, resulting
in a denial of service.

This upgrade fixes this issue. After the upgrade, any running apache2
server processes need to be restarted.

For the stable distribution (lenny), this problem has been fixed in
version 1.2.12+dfsg-8+lenny5.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1.3.9+dfsg-4.

We recommend that you upgrade your apr-util packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg.orig.tar.gz
    Size/MD5 checksum:   658687 4ef3e41037fe0cdd3a0d107335a008eb
  http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny5.dsc
    Size/MD5 checksum:     1531 3c280d9325eccb5b202f797dfe4b0fec
  http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.12+dfsg-8+lenny5.diff.gz
    Size/MD5 checksum:    23557 ccbe052945c3c7a7abb083a5780e63fa

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_alpha.deb
    Size/MD5 checksum:    90912 f01833decf4c09cb19900ad830537656
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_alpha.deb
    Size/MD5 checksum:   157332 c768e904368992a886bab995d06be691
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_alpha.deb
    Size/MD5 checksum:   147422 1f0111e3b3d573c860d72fb7d8f0e8b5

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_amd64.deb
    Size/MD5 checksum:   133214 02ecc9426d426a0b07fad57d8548a552
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_amd64.deb
    Size/MD5 checksum:    80190 bc013109f72a0550ab75a3cbcea4c8e3
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_amd64.deb
    Size/MD5 checksum:   148128 a9074ac6c50448c01a8b79a1b43fd71a

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_arm.deb
    Size/MD5 checksum:    71238 0f14138790b33ed5312d1bd9c64b1f00
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_arm.deb
    Size/MD5 checksum:   124300 360c36286adba8e4590d3d788edc861b
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_arm.deb
    Size/MD5 checksum:   139246 1221f6cb3918a1b4fea98aac628f1eaa

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_armel.deb
    Size/MD5 checksum:   125562 e438c52ef68ba41152adf433bc21d616
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_armel.deb
    Size/MD5 checksum:    70018 364da2335ced6c3219f8e6ce206b66e3
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_armel.deb
    Size/MD5 checksum:   139230 76e5e253b409ce658a5be6362344fff5

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_hppa.deb
    Size/MD5 checksum:    83802 c410f61265b32634094ad350d0d4aeb5
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_hppa.deb
    Size/MD5 checksum:   138764 b467ed9dc49f4379e6db88d45e4ef233
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_hppa.deb
    Size/MD5 checksum:   143056 952388a55397fad1995bc02367571482

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_i386.deb
    Size/MD5 checksum:   141614 edd53fa18ff076d2dff72b40a9651d14
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_i386.deb
    Size/MD5 checksum:    73984 2aa25fcf6479e34bdce90f1b989dfa4f
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_i386.deb
    Size/MD5 checksum:   121060 788336d970df93d381088228298e4f4d

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_ia64.deb
    Size/MD5 checksum:   110820 789ad31d3dc20ebc5e7a3d1d791087c5
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_ia64.deb
    Size/MD5 checksum:   136570 67db51e6841ba527c27cd8608f203760
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_ia64.deb
    Size/MD5 checksum:   169058 def2319fc7c98c667ff63fab83ba848a

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_mips.deb
    Size/MD5 checksum:   137656 65b830e995d0e1df9e5dd3ded8d70384
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_mips.deb
    Size/MD5 checksum:    74498 dbae966eba410854729e65f1b923616f
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_mips.deb
    Size/MD5 checksum:   147726 0a00e22703d26b6cb7d9c3b378f628ac

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_mipsel.deb
    Size/MD5 checksum:   144892 99888c01ccac0d9faa3a5550b15fba7a
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_mipsel.deb
    Size/MD5 checksum:    74218 8231602412144f158ab4d1250df32cfe
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_mipsel.deb
    Size/MD5 checksum:   136538 e0bb514608d43f8c8b2316f631e7e297

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_powerpc.deb
    Size/MD5 checksum:   147160 87609acb8e723f45311251cfa03faa8b
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_powerpc.deb
    Size/MD5 checksum:   132642 954d78228520f1a803835405fee1a9f5
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_powerpc.deb
    Size/MD5 checksum:    83158 1de0e929812f80a27c5b5ef505a74da3

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_s390.deb
    Size/MD5 checksum:    85652 125b09d4165e3cc8faa822ceba8746e7
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_s390.deb
    Size/MD5 checksum:   133244 c8ebef5c30d2b61def461d62b8ea7b23
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_s390.deb
    Size/MD5 checksum:   148902 0ac9f485e20eaf0eff64845c96c63c02

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.12+dfsg-8+lenny5_sparc.deb
    Size/MD5 checksum:   125152 d7b0e9e282c1f6532f2239a9eba4e207
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.12+dfsg-8+lenny5_sparc.deb
    Size/MD5 checksum:    72892 a0fd31dbfcd9cf8301b274d733315162
  http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.12+dfsg-8+lenny5_sparc.deb
    Size/MD5 checksum:   131960 95bb41d3245d5d0d6569d6fb045decba


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFMqkgZbxelr8HyTqQRAjgFAJ4vSvjB1pJAQ6K1V05ZdN9yUQLPmQCeOjmF
W8It1pOroUfphVqq2sVNN54=
=10/6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA-2117-1] New apr-util packages fix denial of service Stefan Fritsch (Oct 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]