Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2009:1108
The remote host is missing updates announced in
advisory RHSA-2009:1108.

The Apache HTTP Server is a popular Web server. The httpd package shipped
with Red Hat Enterprise Linux 3 contains an embedded copy of the Apache
Portable Runtime (APR) utility library, a free library of C data structures
and routines, which includes interfaces to support XML parsing, LDAP
connections, database interfaces, URI parsing, and more.

An off-by-one overflow flaw was found in the way apr-util processed a
variable list of arguments. An attacker could provide a specially-crafted
string as input for the formatted output conversion routine, which could,
on big-endian platforms, potentially lead to the disclosure of sensitive
information or a denial of service (application crash). (CVE-2009-1956)

Note: The CVE-2009-1956 flaw only affects big-endian platforms, such as the
IBM S/390 and PowerPC. It does not affect users using the httpd package on
little-endian platforms, due to their different organization of byte
ordering used to represent particular data.

A denial of service flaw was found in the apr-util Extensible Markup
Language (XML) parser. A remote attacker could create a specially-crafted
XML document that would cause excessive memory consumption when processed
by the XML decoding engine. (CVE-2009-1955)

A heap-based underwrite flaw was found in the way apr-util created compiled
forms of particular search patterns. An attacker could formulate a
specially-crafted search keyword, that would overwrite arbitrary heap
memory locations when processed by the pattern preparation engine.

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.

Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

CVSS Score:

CVSS Vector:

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-0023
BugTraq ID: 35221
Bugtraq: 20091112 rPSA-2009-0144-1 apr-util (Google Search)
Debian Security Information: DSA-1812 (Google Search)
HPdes Security Advisory: HPSBUX02612
HPdes Security Advisory: SSRT100345
XForce ISS Database: apache-aprstrmatchprecompile-dos(50964)
Common Vulnerability Exposure (CVE) ID: CVE-2009-1955
BugTraq ID: 35253
Bugtraq: 20090824 rPSA-2009-0123-1 apr-util (Google Search)
SuSE Security Announcement: SUSE-SR:2010:011 (Google Search)
Common Vulnerability Exposure (CVE) ID: CVE-2009-1956
BugTraq ID: 35251
CopyrightCopyright (c) 2009 E-Soft Inc.

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

© 1998-2021 E-Soft Inc. All rights reserved.