Scientific Linux Security Update : apr-util on SL4.x, SL5.x i386/x86_64

high Nessus Plugin ID 60597
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

An off-by-one overflow flaw was found in the way apr-util processed a variable list of arguments. An attacker could provide a specially crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service (application crash). (CVE-2009-1956)

A denial of service flaw was found in the apr-util Extensible Markup Language (XML) parser. A remote attacker could create a specially crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine. (CVE-2009-1955)

A heap-based underwrite flaw was found in the way apr-util created compiled forms of particular search patterns. An attacker could formulate a specially crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine. (CVE-2009-0023)

Applications using the Apache Portable Runtime library, such as httpd, must be restarted for this update to take effect.

Solution

Update the affected apr-util, apr-util-devel and / or apr-util-docs packages.

See Also

http://www.nessus.org/u?d45eca7a

Plugin Details

Severity: High

ID: 60597

File Name: sl_20090616_apr_util_on_SL4_x.nasl

Version: 1.13

Type: local

Agent: unix

Published: 8/1/2012

Updated: 1/14/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 6/16/2009

Reference Information

CVE: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956

CWE: 119, 189, 399