Bug 503928 (CVE-2009-0023)
Summary: | CVE-2009-0023 apr-util heap buffer underwrite | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Josh Bressers <bressers> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bojan, jorton, kreilly, mjc |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 17:10:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 504558, 504559, 504560, 504561, 504562, 505027, 591930, 595829 | ||
Bug Blocks: |
Description
Josh Bressers
2009-06-03 12:10:19 UTC
After looking through the things in RHEL that use this fuction, nothing is using it to parse untrusted remote data. Everything uses this function to parse configuration data, which significantly reduces the severity of this flaw. This subsequent change: http://svn.apache.org/viewvc?view=rev&revision=781063 fixes another instance of the same mistake, but in this case it would seem to result in only a buffer underread, not a write. I'll include both changes. This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1108 https://rhn.redhat.com/errata/RHSA-2009-1108.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2009:1107 https://rhn.redhat.com/errata/RHSA-2009-1107.html apr-util-1.2.12-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. apr-util-1.3.7-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. apr-util-1.3.7-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: JBEWS 1.0.0 for RHEL 4 Via RHSA-2009:1160 https://rhn.redhat.com/errata/RHSA-2009-1160.html This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html |