Bug#913885: stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
This fixes a low-severity security issue which was recently fixed in
unstable (and also jessie-lts):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
The release will be set correctly when the changelog is finalised.
Cheers,
Dominic.
diff -Nru libapache2-mod-perl2-2.0.10/debian/changelog libapache2-mod-perl2-2.0.10/debian/changelog
--- libapache2-mod-perl2-2.0.10/debian/changelog 2016-12-25 09:51:10.000000000 +0000
+++ libapache2-mod-perl2-2.0.10/debian/changelog 2018-11-16 12:46:23.000000000 +0000
@@ -1,3 +1,10 @@
+libapache2-mod-perl2 (2.0.10-2+deb9u1) UNRELEASED; urgency=medium
+
+ * [SECURITY] CVE-2011-2767: don't allow <Perl> sections in
+ user controlled configuration (Closes: #644169)
+
+ -- Dominic Hargreaves <dom@earth.li> Fri, 16 Nov 2018 12:46:23 +0000
+
libapache2-mod-perl2 (2.0.10-2) unstable; urgency=medium
* Patch the test suite for Apache 2.4.24 compatibility.
diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch
--- libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch 1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch 2018-11-16 11:44:22.000000000 +0000
@@ -0,0 +1,41 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 18 Sep 2018 19:03:15 +0200
+Subject: CVE-2011-2767
+
+Original patch by Jan Ingvoldstad.
+
+Bug-Debian: https://bugs.debian.org/644169
+Origin: https://bugs.debian.org/644169#19
+---
+ src/modules/perl/mod_perl.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/modules/perl/mod_perl.c b/src/modules/perl/mod_perl.c
+index d3245bf..25c64ab 100644
+--- a/src/modules/perl/mod_perl.c
++++ b/src/modules/perl/mod_perl.c
+@@ -913,18 +913,18 @@ static const command_rec modperl_cmds[] = {
+ MP_CMD_DIR_ITERATE2("PerlAddVar", add_var, "PerlAddVar"),
+ MP_CMD_DIR_TAKE2("PerlSetEnv", set_env, "PerlSetEnv"),
+ MP_CMD_SRV_TAKE1("PerlPassEnv", pass_env, "PerlPassEnv"),
+- MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
+- MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),
++ MP_CMD_SRV_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
++ MP_CMD_SRV_RAW_ARGS("Perl", perldo, "Perl Code"),
+
+ MP_CMD_DIR_TAKE1("PerlSetInputFilter", set_input_filter,
+ "filter[;filter]"),
+ MP_CMD_DIR_TAKE1("PerlSetOutputFilter", set_output_filter,
+ "filter[;filter]"),
+
+- MP_CMD_DIR_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
+- MP_CMD_DIR_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
+- MP_CMD_DIR_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
+- MP_CMD_DIR_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
++ MP_CMD_SRV_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
++ MP_CMD_SRV_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
++ MP_CMD_SRV_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
++ MP_CMD_SRV_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
+
+ MP_CMD_SRV_RAW_ARGS("PerlLoadModule", load_module, "A Perl module"),
+ #ifdef MP_TRACE
diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/series libapache2-mod-perl2-2.0.10/debian/patches/series
--- libapache2-mod-perl2-2.0.10/debian/patches/series 2016-12-24 21:45:42.000000000 +0000
+++ libapache2-mod-perl2-2.0.10/debian/patches/series 2018-11-16 12:46:14.000000000 +0000
@@ -15,3 +15,4 @@
honour-env-LDFLAGS.patch
370_http_syntax.patch
380_inject_header_line_terminators.patch
+CVE-2011-2767.patch
Reply to: