diff options
| author | pgollucci <pgollucci@FreeBSD.org> | 2009-06-08 10:21:52 +0800 |
|---|---|---|
| committer | pgollucci <pgollucci@FreeBSD.org> | 2009-06-08 10:21:52 +0800 |
| commit | 187a8a9d1a379fcfb20197436b5587d8b48e22ab (patch) | |
| tree | 10ca702c4620c8a45baaa6faa9d080ce95ae1865 /security/vuxml | |
| parent | 65078f964f9d2ac7924d7aae4d57f5d7f928e0d0 (diff) | |
| download | freebsd-ports-gnome-187a8a9d1a379fcfb20197436b5587d8b48e22ab.tar.gz freebsd-ports-gnome-187a8a9d1a379fcfb20197436b5587d8b48e22ab.tar.zst freebsd-ports-gnome-187a8a9d1a379fcfb20197436b5587d8b48e22ab.zip | |
Document DOS in apr-util xml(expat) processing
Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/vuln.xml | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 07045195b470..6f7e8b87d13a 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,56 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="eb9212f7-526b-11de-bbf2-001b77d09812"> + <topic>apr -- multiple vulnerabilities</topic> + <affects> + <package> + <name>apr</name> + <range><lt>1.3.5.1.3.7</lt></range> + </package> + <package> + <name>apache</name> + <range><ge>2.2.0</ge><lt>2.2.11_5</lt></range> + <range><ge>2.0.0</ge><lt>2.0.63_3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Secunia reports:</p> + <blockquote + cite="http://secunia.com/advisories/35284/"> + <p>Some vulnerabilities have been reported in APR-util, which + can be exploited by malicious users and malicious people to + cause a DoS (Denial of Service).</p> + <p>A vulnerability is caused due to an error in the processing + of XML files and can be exploited to exhaust all available + memory via a specially crafted XML file containing a + predefined entity inside an entity definition.</p> + <p>A vulnerability is caused due to an error within the + "apr_strmatch_precompile()" function in + strmatch/apr_strmatch.c, which can be exploited to crash an + application using the library.</p> + </blockquote> + <p>RedHat reports:</p> + <blockquote + cite="https://bugzilla.redhat.com/show_bug.cgi?id=3D504390"> + <p>A single NULL byte buffer overflow flaw was found in + apr-util's apr_brigade_vprintf() function.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2009-0023</cvename> + <bid>35221</bid> + <url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url> + <url>http://secunia.com/advisories/35284/</url> + <url>https://bugzilla.redhat.com/show_bug.cgi?id=3D504390</url> + </references> + <dates> + <discovery>2009-06-05</discovery> + <entry>TODAY</entry> + </dates> + </vuln> <vuln vid="4f838b74-50a1-11de-b01f-001c2514716c"> <topic>dokuwiki -- Local File Inclusion with register_globals on</topic> <affects> |