[gentoo-announce] [ GLSA 201405-24 ] Apache Portable Runtime, APR Utility Library: Denial of Service - gentoo-announce

From:	Sean Amoss <ackle@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201405-24 ] Apache Portable Runtime, APR Utility Library: Denial of Service
Date:	Sun, 18 May 2014 17:58:33
Message-Id:	`5378F39D.6000702@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201405-24

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Low

8

    Title: Apache Portable Runtime, APR Utility Library: Denial of

9

           Service

10

     Date: May 18, 2014

11

     Bugs: #339527, #366903, #368651, #399089

12

       ID: 201405-24

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

Memory consumption errors in Apache Portable Runtime and APR Utility

20

Library could result in Denial of Service.

21

22

Background

23

==========

24

25

The Apache Portable Runtime (aka APR) provides a set of APIs for

26

creating platform-independent applications. The Apache Portable Runtime

27

Utility Library (aka APR-Util) provides an interface to functionality

28

such as XML parsing, string matching and database connections.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package              /     Vulnerable     /            Unaffected

35

    -------------------------------------------------------------------

36

  1  dev-libs/apr                < 1.4.8-r1               >= 1.4.8-r1 

37

  2  dev-libs/apr-util            < 1.3.10                  >= 1.3.10 

38

    -------------------------------------------------------------------

39

     2 affected packages

40

41

Description

42

===========

43

44

Multiple vulnerabilities have been discovered in Apache Portable

45

Runtime and APR Utility Library. Please review the CVE identifiers

46

referenced below for details.

47

48

Impact

49

======

50

51

A remote attacker could cause a Denial of Service condition.

52

53

Workaround

54

==========

55

56

There is no known workaround at this time.

57

58

Resolution

59

==========

60

61

All Apache Portable Runtime users should upgrade to the latest version:

62

63

  # emerge --sync

64

  # emerge --ask --oneshot --verbose ">=dev-libs/apr-1.4.8-r1"

65

66

All users of the APR Utility Library should upgrade to the latest

67

version:

68

69

  # emerge --sync

70

  # emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.10"

71

72

Packages which depend on these libraries may need to be recompiled.

73

Tools such as revdep-rebuild may assist in identifying some of these

74

packages.

75

76

References

77

==========

78

79

[ 1 ] CVE-2010-1623

80

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1623

81

[ 2 ] CVE-2011-0419

82

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0419

83

[ 3 ] CVE-2011-1928

84

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1928

85

[ 4 ] CVE-2012-0840

86

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0840

87

88

Availability

89

============

90

91

This GLSA and any updates to it are available for viewing at

92

the Gentoo Security Website:

93

94

 http://security.gentoo.org/glsa/glsa-201405-24.xml

95

96

Concerns?

97

=========

98

99

Security is a primary focus of Gentoo Linux and ensuring the

100

confidentiality and security of our users' machines is of utmost

101

importance to us. Any security concerns should be addressed to

102

security@g.o or alternatively, you may file a bug at

103

https://bugs.gentoo.org.

104

105

License

106

=======

107

108

Copyright 2014 Gentoo Foundation, Inc; referenced text

109

belongs to its owner(s).

110

111

The contents of this document are licensed under the

112

Creative Commons - Attribution / Share Alike license.

113

114

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201405-24
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: Apache Portable Runtime, APR Utility Library: Denial of
9	Service
10	Date: May 18, 2014
11	Bugs: #339527, #366903, #368651, #399089
12	ID: 201405-24
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	Memory consumption errors in Apache Portable Runtime and APR Utility
20	Library could result in Denial of Service.
21
22	Background
23	==========
24
25	The Apache Portable Runtime (aka APR) provides a set of APIs for
26	creating platform-independent applications. The Apache Portable Runtime
27	Utility Library (aka APR-Util) provides an interface to functionality
28	such as XML parsing, string matching and database connections.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 dev-libs/apr < 1.4.8-r1 >= 1.4.8-r1
37	2 dev-libs/apr-util < 1.3.10 >= 1.3.10
38	-------------------------------------------------------------------
39	2 affected packages
40
41	Description
42	===========
43
44	Multiple vulnerabilities have been discovered in Apache Portable
45	Runtime and APR Utility Library. Please review the CVE identifiers
46	referenced below for details.
47
48	Impact
49	======
50
51	A remote attacker could cause a Denial of Service condition.
52
53	Workaround
54	==========
55
56	There is no known workaround at this time.
57
58	Resolution
59	==========
60
61	All Apache Portable Runtime users should upgrade to the latest version:
62
63	# emerge --sync
64	# emerge --ask --oneshot --verbose ">=dev-libs/apr-1.4.8-r1"
65
66	All users of the APR Utility Library should upgrade to the latest
67	version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.10"
71
72	Packages which depend on these libraries may need to be recompiled.
73	Tools such as revdep-rebuild may assist in identifying some of these
74	packages.
75
76	References
77	==========
78
79	[ 1 ] CVE-2010-1623
80	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1623
81	[ 2 ] CVE-2011-0419
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0419
83	[ 3 ] CVE-2011-1928
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1928
85	[ 4 ] CVE-2012-0840
86	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0840
87
88	Availability
89	============
90
91	This GLSA and any updates to it are available for viewing at
92	the Gentoo Security Website:
93
94	http://security.gentoo.org/glsa/glsa-201405-24.xml
95
96	Concerns?
97	=========
98
99	Security is a primary focus of Gentoo Linux and ensuring the
100	confidentiality and security of our users' machines is of utmost
101	importance to us. Any security concerns should be addressed to
102	security@g.o or alternatively, you may file a bug at
103	https://bugs.gentoo.org.
104
105	License
106	=======
107
108	Copyright 2014 Gentoo Foundation, Inc; referenced text
109	belongs to its owner(s).
110
111	The contents of this document are licensed under the
112	Creative Commons - Attribution / Share Alike license.
113
114	http://creativecommons.org/licenses/by-sa/2.5