Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1854-1] New APR packages fix arbitrary code execution (

From Florian Weimer@1:229/2 to All on Sat Aug 8 21:00:18 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1854-1 [email protected] http://www.debian.org/security/ Florian Weimer
August 08, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : apr, apr-util
Vulnerability : heap buffer overflow
Debian-specific: no
CVE Id(s) : CVE-2009-2412

Matt Lewis discovered that the memory management code in the Apache
Portable Runtime (APR) library does not guard against a wrap-around
during size computations. This could cause the library to return a
memory area which smaller than requested, resulting a heap overflow
and possibly arbitrary code execution.

For the old stable distribution (etch), this problem has been fixed in
version 1.2.7-9 of the apr package, and version 1.2.7+dfsg-2+etch3 of
the apr-util package.

For the stable distribution (lenny), this problem has been fixed in
version 1.2.12-5+lenny1 of the apr package and version 1.2.12-5+lenny1
of the apr-util package.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your APR packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.7+dfsg.orig.tar.gz
Size/MD5 checksum: 643328 a3117be657f99e92316be40add59b9ff
http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.7+dfsg-2+etch3.dsc
Size/MD5 checksum: 1036 9dc256c005a7f544c4d5c410b226fb74
http://security.debian.org/pool/updates/main/a/apr/apr_1.2.7-9.diff.gz
Size/MD5 checksum: 26613 021ef3aa5b3a9fc021779a0b6a6a4ec9
http://security.debian.org/pool/updates/main/a/apr-util/apr-util_1.2.7+dfsg-2+etch3.diff.gz
Size/MD5 checksum: 21651 e090ebfd7174c90bae4e4935a3d3db15
http://security.debian.org/pool/updates/main/a/apr/apr_1.2.7.orig.tar.gz
Size/MD5 checksum: 1102370 aea926cbe588f844ad9e317157d60175
http://security.debian.org/pool/updates/main/a/apr/apr_1.2.7-9.dsc
Size/MD5 checksum: 856 89662625fd7a34ceb514087de869d918

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/a/apr/libapr1_1.2.7-9_alpha.deb
Size/MD5 checksum: 121726 df1e2d6e8bf9ed485ad417fe274eb0e3
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch3_alpha.deb
Size/MD5 checksum: 83690 b5873275f420b15f9868ea0dde699c60
http://security.debian.org/pool/updates/main/a/apr/libapr1-dev_1.2.7-9_alpha.deb
Size/MD5 checksum: 371668 4e8bd42151f3cdf8cee91c49599aab42
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch3_alpha.deb
Size/MD5 checksum: 129158 5074639b4b0d9877ff29b96540fdfaec
http://security.debian.org/pool/updates/main/a/apr/libapr1-dbg_1.2.7-9_alpha.deb
Size/MD5 checksum: 185420 ddf84849ff3bee792dc187c6d21958bd
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch3_alpha.deb
Size/MD5 checksum: 148140 079cff06535a7e3f4e9a5d682d80bb1b

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch3_amd64.deb
Size/MD5 checksum: 72946 6b11e4b65bdf67981a091177d9644007
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch3_amd64.deb
Size/MD5 checksum: 126156 b420f555d02504e0497a0ba3c27e0cac
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch3_amd64.deb
Size/MD5 checksum: 127742 1606857f3291ccb10e038219f1f2eab3
http://security.debian.org/pool/updates/main/a/apr/libapr1-dbg_1.2.7-9_amd64.deb
Size/MD5 checksum: 187302 bb1a4aa5768fa012201ad1e72bc27e93
http://security.debian.org/pool/updates/main/a/apr/libapr1-dev_1.2.7-9_amd64.deb
Size/MD5 checksum: 348120 b5d6b4e7c628dffe867159b54b6c82f1
http://security.debian.org/pool/updates/main/a/apr/libapr1_1.2.7-9_amd64.deb
Size/MD5 checksum: 111664 6b51dc29ea4defa975902d246188086f

arm architecture (ARM)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch3_arm.deb
Size/MD5 checksum: 121504 3ba789c274f2ed7030aa286ea57dbb3d
http://security.debian.org/pool/updates/main/a/apr/libapr1-dbg_1.2.7-9_arm.deb
Size/MD5 checksum: 175146 86ff258e9181fa424cb043dc22e2c0e0
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch3_arm.deb
Size/MD5 checksum: 117302 97d701c8f9d6746eb14448bfde8e8588
http://security.debian.org/pool/updates/main/a/apr/libapr1_1.2.7-9_arm.deb
Size/MD5 checksum: 104934 45a976662beb7ec3b15ee7c7a45f3de7
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch3_arm.deb
Size/MD5 checksum: 66110 09c54142359236f50654bd9c7b375781
http://security.debian.org/pool/updates/main/a/apr/libapr1-dev_1.2.7-9_arm.deb
Size/MD5 checksum: 335520 14d06ecfb54247718b780c893df8f4cc

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dbg_1.2.7+dfsg-2+etch3_hppa.deb
Size/MD5 checksum: 126186 9494353aa42e983a245af2890dd2c6d7
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1_1.2.7+dfsg-2+etch3_hppa.deb
Size/MD5 checksum: 78668 60c87b0e86c1ed31deecddd88cdf5fa5
http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch3_hppa.deb
Size/MD5 checksum: 133918 ae993c733053a326603c5b750505bee9

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/a/apr-util/libaprutil1-dev_1.2.7+dfsg-2+etch3_i386.deb
Size/MD5 checksum: 116052 6238f10eb5077bb53b9664b82b985c40
http://security.debian.org/pool/updates/main/a/apr/libapr1-dev_1.2.7-9_i386.deb

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	714
Nodes:	16 (2 / 14)
Uptime:	141:09:19
Calls:	12,087
Files:	14,998
Messages:	6,517,434

[SECURITY] [DSA 1854-1] New APR packages fix arbitrary code execution (

Who's Online

System Info