RHSA-2009:1204: apr and apr-util security update
Description
The Apache Portable Runtime (APR) is a portability library used by theApache HTTP Server and other projects. It aims to provide a free libraryof C data structures and routines. apr-util is a utility library used withAPR. This library provides additional utility interfaces for APR; includingsupport for XML parsing, LDAP, database interfaces, URI parsing, and more.Multiple integer overflow flaws, leading to heap-based buffer overflows,were found in the way the Apache Portable Runtime (APR) manages memory pooland relocatable memory allocations. An attacker could use these flaws toissue a specially-crafted request for memory allocation, which would leadto a denial of service (application crash) or, potentially, executearbitrary code with the privileges of an application using the APRlibraries. (CVE-2009-2412)All apr and apr-util users should upgrade to these updated packages, whichcontain backported patches to correct these issues. Applications using theAPR libraries, such as httpd, must be restarted for this update to takeeffect.
Solution(s)
- redhat-upgrade-apr
- redhat-upgrade-apr-devel
- redhat-upgrade-apr-docs
- redhat-upgrade-apr-util
- redhat-upgrade-apr-util-devel
- redhat-upgrade-apr-util-docs
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center