Dear stable release managers, Please approve the upload of libapache2-mod-perl2 2.0.4-5+lenny1 to stable. This is needed for closing a security bug (#567635, CVE-2009-0796) which was not deemed worth a DSA. Changelog: libapache2-mod-perl2 (2.0.4-5+lenny1) stable; urgency=high * add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796) Patch taken from r760926 of upstream SVN. Closes: #567635 -- Damyan Ivanov <dmn@debian.org> Sun, 31 Jan 2010 08:40:19 +0200 100-svn-XSS-Status.patch, interdiff and debdiff attached. Thank you.
# Description: Fix XSS in Apache2::Status (CVE-2009-0796) # Origin: http://svn.apache.org/viewvc/perl/modperl/trunk/lib/Apache2/Status.pm?r1=607697&r2=760926&pathrev=761081&view=patch # Bug-Debian: 567635 --- a/lib/Apache2/Status.pm +++ b/lib/Apache2/Status.pm @@ -29,7 +29,7 @@ use File::Spec (); use Apache2::Const -compile => qw(OK); -$Apache2::Status::VERSION = '4.00'; # mod_perl 2.0 +$Apache2::Status::VERSION = '4.01'; # mod_perl 2.0 use constant IS_WIN32 => ($^O eq "MSWin32"); @@ -126,7 +126,7 @@ sub handler { $r->print(symdump($r, $qs)); } else { - my $uri = $r->uri; + my $uri = $r->location; $r->print('<p>'); $r->print( map { qq[<a href="$uri?$_">$status{$_}</a><br />\n] } sort { lc $a cmp lc $b } keys %status @@ -198,7 +198,7 @@ sub status_section_config { sub status_inc { my ($r) = @_; - my $uri = $r->uri; + my $uri = $r->location; my @retval = ( '<table border="1">', "<tr>", @@ -289,7 +289,7 @@ sub status_rgysubs { my ($r) = @_; local $_; - my $uri = $r->uri; + my $uri = $r->location; my $cache = __PACKAGE__->registry_cache; my @retval = "<h2>Compiled registry scripts grouped by their handler</h2>"; @@ -765,7 +765,7 @@ sub as_HTML { my ($self, $package, $r) = @_; my @m = qw(<table>); - my $uri = $r->uri; + my $uri = $r->location; my $is_main = $package eq "main"; my $do_dump = has($r, "dumper");
diff -u libapache2-mod-perl2-2.0.4/debian/changelog libapache2-mod-perl2-2.0.4/debian/changelog --- libapache2-mod-perl2-2.0.4/debian/changelog +++ libapache2-mod-perl2-2.0.4/debian/changelog @@ -1,3 +1,11 @@ +libapache2-mod-perl2 (2.0.4-5+lenny1) stable; urgency=high + + * add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796) + Patch taken from r760926 of upstream SVN. + Closes: #567635 + + -- Damyan Ivanov <dmn@debian.org> Sun, 31 Jan 2010 08:40:19 +0200 + libapache2-mod-perl2 (2.0.4-5) unstable; urgency=low [ gregor herrmann ] diff -u libapache2-mod-perl2-2.0.4/debian/patches/series libapache2-mod-perl2-2.0.4/debian/patches/series --- libapache2-mod-perl2-2.0.4/debian/patches/series +++ libapache2-mod-perl2-2.0.4/debian/patches/series @@ -8,0 +9 @@ +100-svn-XSS-Status.patch only in patch2: unchanged: --- libapache2-mod-perl2-2.0.4.orig/debian/patches/100-svn-XSS-Status.patch +++ libapache2-mod-perl2-2.0.4/debian/patches/100-svn-XSS-Status.patch @@ -0,0 +1,50 @@ +# Description: Fix XSS in Apache2::Status (CVE-2009-0796) +# Origin: http://svn.apache.org/viewvc/perl/modperl/trunk/lib/Apache2/Status.pm?r1=607697&r2=760926&pathrev=761081&view=patch +# Bug-Debian: 567635 +--- a/lib/Apache2/Status.pm ++++ b/lib/Apache2/Status.pm +@@ -29,7 +29,7 @@ use File::Spec (); + + use Apache2::Const -compile => qw(OK); + +-$Apache2::Status::VERSION = '4.00'; # mod_perl 2.0 ++$Apache2::Status::VERSION = '4.01'; # mod_perl 2.0 + + use constant IS_WIN32 => ($^O eq "MSWin32"); + +@@ -126,7 +126,7 @@ sub handler { + $r->print(symdump($r, $qs)); + } + else { +- my $uri = $r->uri; ++ my $uri = $r->location; + $r->print('<p>'); + $r->print( + map { qq[<a href="$uri?$_">$status{$_}</a><br />\n] } sort { lc $a cmp lc $b } keys %status +@@ -198,7 +198,7 @@ sub status_section_config { + sub status_inc { + my ($r) = @_; + +- my $uri = $r->uri; ++ my $uri = $r->location; + my @retval = ( + '<table border="1">', + "<tr>", +@@ -289,7 +289,7 @@ sub status_rgysubs { + my ($r) = @_; + + local $_; +- my $uri = $r->uri; ++ my $uri = $r->location; + my $cache = __PACKAGE__->registry_cache; + + my @retval = "<h2>Compiled registry scripts grouped by their handler</h2>"; +@@ -765,7 +765,7 @@ sub as_HTML { + my ($self, $package, $r) = @_; + + my @m = qw(<table>); +- my $uri = $r->uri; ++ my $uri = $r->location; + my $is_main = $package eq "main"; + + my $do_dump = has($r, "dumper");
File lists identical (after any substitutions) Control files of package libapache2-mod-perl2: lines which differ (wdiff format) -------------------------------------------------------------------------------- Version: [-2.0.4-5-] {+2.0.4-5+lenny1+} Control files of package libapache2-mod-perl2-dev: lines which differ (wdiff format) ------------------------------------------------------------------------------------ Version: [-2.0.4-5-] {+2.0.4-5+lenny1+} Control files of package libapache2-mod-perl2-doc: lines which differ (wdiff format) ------------------------------------------------------------------------------------ Version: [-2.0.4-5-] {+2.0.4-5+lenny1+}
Attachment:
signature.asc
Description: Digital signature