Bug 1424

Summary: apr security update
Product: Mageia Reporter: Jérôme Soyer <saispo>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: dmorganec
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: apr-1.4.2-8.mga1.src.rpm CVE:
Status comment:

Description Jérôme Soyer 2011-05-25 19:26:32 CEST 
Package        : apr
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0419 CVE-2011-1928
Debian bug     : 627182


The recent APR update DSA-2237-1 introduced a regression that could
lead to an endless loop in the apr_fnmatch() function, causing a
denial of service. This update fixes this problem (CVE-2011-1928).

For reference, the description of the original DSA, which fixed
CVE-2011-0419:

A flaw was found in the APR library, which could be exploited through
Apache HTTPD's mod_autoindex.  If a directory indexed by mod_autoindex
contained files with sufficiently long names, a remote attacker could
send a carefully crafted request which would cause excessive CPU
usage. This could be used in a denial of service attack.

We recommend that you upgrade your apr packages and restart the
apache2 server.apr security update
Comment 1 D Morgan 2011-05-25 21:08:57 CEST 
already fixed in mageia ( the patch is apr-1.4.x-CVE-2011-0419,1928.diff )

Status: NEW => RESOLVED
CC: (none) => dmorganec
Resolution: (none) => FIXED