Rapid7 Vulnerability & Exploit Database

RHSA-2009:1204: apr and apr-util security update

Back to Search

RHSA-2009:1204: apr and apr-util security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
08/06/2009
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

The Apache Portable Runtime (APR) is a portability library used by theApache HTTP Server and other projects. It aims to provide a free libraryof C data structures and routines. apr-util is a utility library used withAPR. This library provides additional utility interfaces for APR; includingsupport for XML parsing, LDAP, database interfaces, URI parsing, and more.Multiple integer overflow flaws, leading to heap-based buffer overflows,were found in the way the Apache Portable Runtime (APR) manages memory pooland relocatable memory allocations. An attacker could use these flaws toissue a specially-crafted request for memory allocation, which would leadto a denial of service (application crash) or, potentially, executearbitrary code with the privileges of an application using the APRlibraries. (CVE-2009-2412)All apr and apr-util users should upgrade to these updated packages, whichcontain backported patches to correct these issues. Applications using theAPR libraries, such as httpd, must be restarted for this update to takeeffect.

Solution(s)

  • redhat-upgrade-apr
  • redhat-upgrade-apr-devel
  • redhat-upgrade-apr-docs
  • redhat-upgrade-apr-util
  • redhat-upgrade-apr-util-devel
  • redhat-upgrade-apr-util-docs

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;