Mandriva je izdala zakrpu koja otklanja sigurnosni propust programskog paketa APR koji je moguće iskoristiti za izvođenje DoS napada.
Paket:
apr 1.3.X
Operacijski sustavi:
Mandriva Linux 2010, Mandriva Linux 2010.1
Kritičnost:
3/10
Problem:
pogreška u programskoj funkciji
Iskorištavanje:
lokalno/udaljeno
Posljedica:
uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-0419
Izvorni ID preporuke:
MDVSA-2011:084
Izvor:
Mandriva
Problem:
Propust se javlja u funkciji "apr_fnmatch()" prilikom obrade uzoraka sa znakom "*".
Posljedica:
Napadač može iskoristiti ranjivost za trošenje memorije spremnika ili korištenje prekomjernog CPU vremena prilikom provjere ulaznih podataka. Uspješno iskorištavanje propusta može rezultirati DoS napadom.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:084
http://www.mandriva.com/security/
_______________________________________________________________________
Package : apr
Date : May 13, 2011
Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
It was discovered that the apr_fnmatch() function used an unconstrained
recursion when processing patterns with the '*' wildcard. An
attacker
could use this flaw to cause an application using this function,
which also accepted untrusted input as a pattern for matching (such
as an httpd server using the mod_autoindex module), to exhaust all
stack memory or use an excessive amount of CPU time when performing
matching (CVE-2011-0419).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
be64584ff33e8b302b98371cc2250737
2009.0/i586/libapr1-1.3.3-2.2mdv2009.0.i586.rpm
f7dc54c6193e0ca7f3a24606e9d7a418
2009.0/i586/libapr-devel-1.3.3-2.2mdv2009.0.i586.rpm
1b7160e3c2178a302c07a6e23d59c82d 2009.0/SRPMS/apr-1.3.3-2.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
8d7329923bb5e81dbca4ea1d355e2846
2009.0/x86_64/lib64apr1-1.3.3-2.2mdv2009.0.x86_64.rpm
7838341b9612ac1ab78606a8c2143306
2009.0/x86_64/lib64apr-devel-1.3.3-2.2mdv2009.0.x86_64.rpm
1b7160e3c2178a302c07a6e23d59c82d 2009.0/SRPMS/apr-1.3.3-2.2mdv2009.0.src.rpm
Mandriva Linux 2010.0:
50d349a278f9fb9ddae7fe78b9c7cfb5
2010.0/i586/libapr1-1.3.9-1.1mdv2010.0.i586.rpm
a2ab8bacb929689515885f8f6b55e20b
2010.0/i586/libapr-devel-1.3.9-1.1mdv2010.0.i586.rpm
09656854ddec250000ae8ec2a54db5ac 2010.0/SRPMS/apr-1.3.9-1.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
d1d1660e4427134fd94eb61c6bf50573
2010.0/x86_64/lib64apr1-1.3.9-1.1mdv2010.0.x86_64.rpm
0c26aa24bf82e860353f5d279f1d7c3d
2010.0/x86_64/lib64apr-devel-1.3.9-1.1mdv2010.0.x86_64.rpm
09656854ddec250000ae8ec2a54db5ac 2010.0/SRPMS/apr-1.3.9-1.1mdv2010.0.src.rpm
Mandriva Linux 2010.1:
6bcbd128393e66f857a0237858b8296c
2010.1/i586/libapr1-1.4.2-1.1mdv2010.2.i586.rpm
711375d83f3e8ba475f5e50e9cd72c58
2010.1/i586/libapr-devel-1.4.2-1.1mdv2010.2.i586.rpm
1e79b3cbed82fe6a72a5e363ee6de1ac 2010.1/SRPMS/apr-1.4.2-1.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
10e549216a50287a8b00ceabc989f582
2010.1/x86_64/lib64apr1-1.4.2-1.1mdv2010.2.x86_64.rpm
dcb20d2f8c1698ad7da97d8cfad775bc
2010.1/x86_64/lib64apr-devel-1.4.2-1.1mdv2010.2.x86_64.rpm
1e79b3cbed82fe6a72a5e363ee6de1ac 2010.1/SRPMS/apr-1.4.2-1.1mdv2010.2.src.rpm
Corporate 4.0:
14e8e64d57936ac0d07614bd67446f03
corporate/4.0/i586/libapr1-1.2.7-1.2.20060mlcs4.i586.rpm
ce54af727421b84a6b44e1e93c026d2e
corporate/4.0/i586/libapr1-devel-1.2.7-1.2.20060mlcs4.i586.rpm
b32595e78258a491a42ca109d6bceba2
corporate/4.0/SRPMS/apr-1.2.7-1.2.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
8d384c32df7462ea43898d5747a8896e
corporate/4.0/x86_64/lib64apr1-1.2.7-1.2.20060mlcs4.x86_64.rpm
ceb813bb8fbcd8047c4bb8938bdef32b
corporate/4.0/x86_64/lib64apr1-devel-1.2.7-1.2.20060mlcs4.x86_64.rpm
b32595e78258a491a42ca109d6bceba2
corporate/4.0/SRPMS/apr-1.2.7-1.2.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
7e3ca3eb765d21b1366f55c9b9b56027
mes5/i586/libapr1-1.3.3-2.2mdvmes5.2.i586.rpm
fbf9421168cb26090b5ff021a2bb823a
mes5/i586/libapr-devel-1.3.3-2.2mdvmes5.2.i586.rpm
f7afcb8a3dd0ecca2998a32df747afc9 mes5/SRPMS/apr-1.3.3-2.2mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
418475e740da85914275f648045dbacb
mes5/x86_64/lib64apr1-1.3.3-2.2mdvmes5.2.x86_64.rpm
bc4a3e5372735992d633f5933b540891
mes5/x86_64/lib64apr-devel-1.3.3-2.2mdvmes5.2.x86_64.rpm
f7afcb8a3dd0ecca2998a32df747afc9 mes5/SRPMS/apr-1.3.3-2.2mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNzRTYmqjQ0CJFipgRArnuAKC5bjB2514IeZ28goZnvrQX3nI9HwCfS7M7
45Ow0utD+phZX5PXfEeE+20=
=Y0XA
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke