CVE-2009-2412: Apache httpd: APR apr_palloc heap overflow

CVE ID

CVE-2009-2412

DESCRIPTION

A flaw in apr_palloc() in the bundled copy of APR could cause heap overflows in programs that try to apr_palloc() a user controlled size. The Apache HTTP Server itself does not pass unsanitized user-provided sizes to this function, so it could only be triggered through some other application which uses apr_palloc() in a vulnerable way.

Detail from the CVE

The affected asset is vulnerable to this Apache vulnerability ONLY if a non-Apache application can be passed unsanitized user-provided sizes to the apr_palloc() function. Review your Web server configuration for validation.

Severity: low

Unitrends has no exposure because Unitrends web programs do not allocate user-controlled size

RESOLUTION

For CentOS5, apr-1.2.7-11.el5_3.1 and apr-util-1.2.7-7.el5_3.2 or later has the fix, and Unitrends appliances should already have apr-util-1.2.7-7.el5_3.2.

For CentOS6, the distribution already contains this fix.

Fixed in Apache httpd 2.2.13
 

LINK TO ADVISORIES

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us