apr-util is a utility library used with the Apache Portable Runtime (APR).It aims to provide a free library of C data structures and routines. Thislibrary contains additional utility interfaces for APR; including supportfor XML, LDAP, database interfaces, URI parsing, and more.An off-by-one overflow flaw was found in the way apr-util processed avariable list of arguments. An attacker could provide a specially-craftedstring as input for the formatted output conversion routine, which could,on big-endian platforms, potentially lead to the disclosure of sensitiveinformation or a denial of service (application crash). (CVE-2009-1956)Note: The CVE-2009-1956 flaw only affects big-endian platforms, such as theIBM S/390 and PowerPC. It does not affect users using the apr-util packageon little-endian platforms, due to their different organization of byteordering used to represent particular data.A denial of service flaw was found in the apr-util Extensible MarkupLanguage (XML) parser. A remote attacker could create a specially-craftedXML document that would cause excessive memory consumption when processedby the XML decoding engine. (CVE-2009-1955)A heap-based underwrite flaw was found in the way apr-util created compiledforms of particular search patterns. An attacker could formulate aspecially-crafted search keyword, that would overwrite arbitrary heapmemory locations when processed by the pattern preparation engine.(CVE-2009-0023)All apr-util users should upgrade to these updated packages, which containbackported patches to correct these issues. Applications using the ApachePortable Runtime library, such as httpd, must be restarted for this updateto take effect.