Bug 1424 - apr security update
Summary: apr security update
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-25 19:26 CEST by Jérôme Soyer
Modified: 2011-05-25 21:08 CEST (History)
1 user (show)

See Also:
Source RPM: apr-1.4.2-8.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jérôme Soyer 2011-05-25 19:26:32 CEST 
Package        : apr
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0419 CVE-2011-1928
Debian bug     : 627182


The recent APR update DSA-2237-1 introduced a regression that could
lead to an endless loop in the apr_fnmatch() function, causing a
denial of service. This update fixes this problem (CVE-2011-1928).

For reference, the description of the original DSA, which fixed
CVE-2011-0419:

A flaw was found in the APR library, which could be exploited through
Apache HTTPD's mod_autoindex.  If a directory indexed by mod_autoindex
contained files with sufficiently long names, a remote attacker could
send a carefully crafted request which would cause excessive CPU
usage. This could be used in a denial of service attack.

We recommend that you upgrade your apr packages and restart the
apache2 server.apr security update
Comment 1 D Morgan 2011-05-25 21:08:57 CEST 
already fixed in mageia ( the patch is apr-1.4.x-CVE-2011-0419,1928.diff )

Status: NEW => RESOLVED
CC: (none) => dmorganec
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.