Bug#416611: marked as done (libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349))
Your message dated Mon, 10 Mar 2008 16:13:08 +0100
with message-id <200803101613.09738.sf@sfritsch.de>
and subject line libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
has caused the Debian Bug report #416611,
regarding libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
416611: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416611
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libapache-mod-perl: Possible DoS problem with PerlRun (CVE-2007-1349)
- From: Kjetil Kjernsmo <kjetilk@opera.com>
- Date: Thu, 29 Mar 2007 10:58:25 +0200
- Message-id: <200703291058.25986.kjetilk@opera.com>
Package: libapache-mod-perl
Version: 1.29.0.4-4.1
Severity: important
Tags: security
A problem was recently discovered in how mod_perl 1.x deals with special
characters in the file_info part of URLs, exploitation of this problem
could cause a DoS.
The problem was fixed in the recent 1.30 RC1 of the package:
SECURITY: CVE-2007-1349 (cve.mitre.org)
fix unescaped variable interpolation in Apache::PerlRun
regular expression to prevent regex engine tampering.
reported by Alex Solovey
[Randal L. Schwartz <merlyn@stonehenge.com>, Fred Moyer
<fred@redhotpenguin.com>]
I think only a single line needs to be patched to fix the problem. It
seems likely that all versions of Debian exhibits the problem, but if I
leave it to others to decide if it is a release critical problem for
etch.
Best,
Kjetil
--
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA
--- End Message ---
--- Begin Message ---
version: 1.3.34-4.1+etch1
This was recently fixed in a stable point release for etch.
--- End Message ---
Reply to: