LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

apr-util: multiple vulnerabilities

Package(s):apr-util CVE #(s):CVE-2009-1955 CVE-2009-1956
Created:June 8, 2009 Updated:May 10, 2010
Description:

From the Mandriva advisory:

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564 (CVE-2009-1955).

Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input (CVE-2009-1956).

Alerts:
SuSE SUSE-SR:2010:011 2010-05-10
Mandriva MDVSA-2009:314 2009-12-04
rPath rPSA-2009-0123-1 2009-08-24
SuSE SUSE-SR:2009:013 2009-08-11
Slackware SSA:2009-214-01 2009-08-03
Gentoo 200907-03 2009-07-04
Fedora FEDORA-2009-6261 2009-06-15
Fedora FEDORA-2009-5969 2009-06-15
Fedora FEDORA-2009-6014 2009-06-15
CentOS CESA-2009:1107 2009-06-19
Red Hat RHSA-2009:1108-01 2009-06-16
Red Hat RHSA-2009:1107-01 2009-06-16
Slackware SSA:2009-167-02 2009-06-17
CentOS CESA-2009:1108 2009-06-17
Ubuntu USN-787-1 2009-06-12
Ubuntu USN-786-1 2009-06-10
Mandriva MDVSA-2009:131-1 2009-06-06
Mandriva MDVSA-2009:131 2009-06-06
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds