Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
From: Kjetil Kjernsmo <kjetilk@opera.com>
Date: Thu, 29 Mar 2007 10:58:25 +0200
Message-id: <[🔎] 200703291058.25986.kjetilk@opera.com>
Reply-to: Kjetil Kjernsmo <kjetilk@opera.com>, 416611@bugs.debian.org

Package: libapache-mod-perl
Version: 1.29.0.4-4.1
Severity: important
Tags: security

A problem was recently discovered in how mod_perl 1.x deals with special 
characters in the file_info part of URLs, exploitation of this problem 
could cause a DoS. 

The problem was fixed in the recent 1.30 RC1 of the package:

SECURITY: CVE-2007-1349 (cve.mitre.org)
fix unescaped variable interpolation in Apache::PerlRun
regular expression to prevent regex engine tampering.
reported by Alex Solovey
[Randal L. Schwartz <merlyn@stonehenge.com>, Fred Moyer 
<fred@redhotpenguin.com>]

I think only a single line needs to be patched to fix the problem. It 
seems likely that all versions of Debian exhibits the problem, but if I 
leave it to others to decide if it is a release critical problem for 
etch.

Best,

Kjetil
-- 
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA

Reply to:

Follow-Ups:
- Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
  - From: Peter Samuelson <peter@p12n.org>

Prev by Date: Bug#416562: Additional Information
Next by Date: Apache 1.3.34 (Etch current) adds response headers twice
Previous by thread: Bug#416562: Additional Information
Next by thread: Bug#416611: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
Index(es):
- Date
- Thread