apr -- multiple vulnerabilities

Description:

Secunia reports:

Some vulnerabilities have been reported in APR-util, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).

A vulnerability is caused due to an error in the processing of XML files and can be exploited to exhaust all available memory via a specially crafted XML file containing a predefined entity inside an entity definition.

A vulnerability is caused due to an error within the "apr_strmatch_precompile()" function in strmatch/apr_strmatch.c, which can be exploited to crash an application using the library.

RedHat reports:

A single NULL byte buffer overflow flaw was found in apr-util's apr_brigade_vprintf() function.

References:

BugTraq ID 35221
CVE name CVE-2009-1955
CVE name CVE-2009-1956
CVE name CVE-2009-0023
URL: <http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3>
URL: <http://secunia.com/advisories/35284/>
URL: <https://bugzilla.redhat.com/show_bug.cgi?id=3D504390>

Affects:

apr <1.3.5.1.3.7
apache >=2.2.0 <2.2.11_5
apache >=2.0.0 <2.0.63_3

portaudit: apr -- multiple vulnerabilities

Disclaimer: The data contained on this page is derived from the VuXML document, please refer to the the original document for copyright information. The author of portaudit makes no claim of authorship or ownership of any of the information contained herein.

If you have found a vulnerability in a FreeBSD port not listed in the database, please contact the FreeBSD Security Team. Refer to "FreeBSD Security Information" for more information.

Oliver Eikemeier <eik@FreeBSD.org>