CVE ID
CVE-2009-2412
DESCRIPTION
A flaw in apr_palloc() in the bundled copy of APR could cause heap overflows in programs that try to apr_palloc() a user controlled size. The Apache HTTP Server itself does not pass unsanitized user-provided sizes to this function, so it could only be triggered through some other application which uses apr_palloc() in a vulnerable way.
Detail from the CVE
The affected asset is vulnerable to this Apache vulnerability ONLY if a non-Apache application can be passed unsanitized user-provided sizes to the apr_palloc() function. Review your Web server configuration for validation.
Severity: low
Unitrends has no exposure because Unitrends web programs do not allocate user-controlled size
RESOLUTION
For CentOS5, apr-1.2.7-11.el5_3.1 and apr-util-1.2.7-7.el5_3.2 or later has the fix, and Unitrends appliances should already have apr-util-1.2.7-7.el5_3.2.
For CentOS6, the distribution already contains this fix.
Fixed in Apache httpd 2.2.13