Bug#913885: marked as done (stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 16 Feb 2019 11:36:33 +0000
with message-id <1550316993.21192.50.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.8
has caused the Debian Bug report #913885,
regarding stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
913885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913885
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1
• From: Dominic Hargreaves <dom@earth.li>
• Date: Fri, 16 Nov 2018 12:57:27 +0000
• Message-id: <154237304755.8295.1862566239804688615.reportbug@urchin.earth.li>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

This fixes a low-severity security issue which was recently fixed in
unstable (and also jessie-lts):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169

The release will be set correctly when the changelog is finalised.

Cheers,
Dominic.

diff -Nru libapache2-mod-perl2-2.0.10/debian/changelog libapache2-mod-perl2-2.0.10/debian/changelog
--- libapache2-mod-perl2-2.0.10/debian/changelog	2016-12-25 09:51:10.000000000 +0000
+++ libapache2-mod-perl2-2.0.10/debian/changelog	2018-11-16 12:46:23.000000000 +0000
@@ -1,3 +1,10 @@
+libapache2-mod-perl2 (2.0.10-2+deb9u1) UNRELEASED; urgency=medium
+
+  * [SECURITY] CVE-2011-2767: don't allow <Perl> sections in
+    user controlled configuration (Closes: #644169)
+
+ -- Dominic Hargreaves <dom@earth.li>  Fri, 16 Nov 2018 12:46:23 +0000
+
 libapache2-mod-perl2 (2.0.10-2) unstable; urgency=medium
 
   * Patch the test suite for Apache 2.4.24 compatibility.
diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch
--- libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch	1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch	2018-11-16 11:44:22.000000000 +0000
@@ -0,0 +1,41 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 18 Sep 2018 19:03:15 +0200
+Subject: CVE-2011-2767
+
+Original patch by Jan Ingvoldstad.
+
+Bug-Debian: https://bugs.debian.org/644169
+Origin: https://bugs.debian.org/644169#19
+---
+ src/modules/perl/mod_perl.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/modules/perl/mod_perl.c b/src/modules/perl/mod_perl.c
+index d3245bf..25c64ab 100644
+--- a/src/modules/perl/mod_perl.c
++++ b/src/modules/perl/mod_perl.c
+@@ -913,18 +913,18 @@ static const command_rec modperl_cmds[] = {
+     MP_CMD_DIR_ITERATE2("PerlAddVar", add_var, "PerlAddVar"),
+     MP_CMD_DIR_TAKE2("PerlSetEnv", set_env, "PerlSetEnv"),
+     MP_CMD_SRV_TAKE1("PerlPassEnv", pass_env, "PerlPassEnv"),
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
+-    MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
++    MP_CMD_SRV_RAW_ARGS("Perl", perldo, "Perl Code"),
+ 
+     MP_CMD_DIR_TAKE1("PerlSetInputFilter", set_input_filter,
+                      "filter[;filter]"),
+     MP_CMD_DIR_TAKE1("PerlSetOutputFilter", set_output_filter,
+                      "filter[;filter]"),
+ 
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
+ 
+     MP_CMD_SRV_RAW_ARGS("PerlLoadModule", load_module, "A Perl module"),
+ #ifdef MP_TRACE
diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/series libapache2-mod-perl2-2.0.10/debian/patches/series
--- libapache2-mod-perl2-2.0.10/debian/patches/series	2016-12-24 21:45:42.000000000 +0000
+++ libapache2-mod-perl2-2.0.10/debian/patches/series	2018-11-16 12:46:14.000000000 +0000
@@ -15,3 +15,4 @@
 honour-env-LDFLAGS.patch
 370_http_syntax.patch
 380_inject_header_line_terminators.patch
+CVE-2011-2767.patch

--- End Message ---

--- Begin Message ---

• To: 871937-done@bugs.debian.org, 878816-done@bugs.debian.org, 880622-done@bugs.debian.org, 882824-done@bugs.debian.org, 887157-done@bugs.debian.org, 887399-done@bugs.debian.org, 891569-done@bugs.debian.org, 891649-done@bugs.debian.org, 891660-done@bugs.debian.org, 892845-done@bugs.debian.org, 892853-done@bugs.debian.org, 893541-done@bugs.debian.org, 893543-done@bugs.debian.org, 893550-done@bugs.debian.org, 896811-done@bugs.debian.org, 906142-done@bugs.debian.org, 906239-done@bugs.debian.org, 906813-done@bugs.debian.org, 908957-done@bugs.debian.org, 908960-done@bugs.debian.org, 908965-done@bugs.debian.org, 909127-done@bugs.debian.org, 909131-done@bugs.debian.org, 909213-done@bugs.debian.org, 913085-done@bugs.debian.org, 913525-done@bugs.debian.org, 913529-done@bugs.debian.org, 913801-done@bugs.debian.org, 913881-done@bugs.debian.org, 913885-done@bugs.debian.org, 913942-done@bugs.debian.org, 914032-done@bugs.debian.org, 914081-done@bugs.debian.org, 914184-done@bugs.debian.org, 914265-done@bugs.debian.org, 914475-done@bugs.debian.org, 914594-done@bugs.debian.org, 914841-done@bugs.debian.org, 914961-done@bugs.debian.org, 915715-done@bugs.debian.org, 915875-done@bugs.debian.org, 916435-done@bugs.debian.org, 916627-done@bugs.debian.org, 916632-done@bugs.debian.org, 916882-done@bugs.debian.org, 916912-done@bugs.debian.org, 917560-done@bugs.debian.org, 917620-done@bugs.debian.org, 917820-done@bugs.debian.org, 917900-done@bugs.debian.org, 917911-done@bugs.debian.org, 918337-done@bugs.debian.org, 918601-done@bugs.debian.org, 918762-done@bugs.debian.org, 919106-done@bugs.debian.org, 919712-done@bugs.debian.org, 919990-done@bugs.debian.org, 920372-done@bugs.debian.org, 920379-done@bugs.debian.org, 920381-done@bugs.debian.org, 920382-done@bugs.debian.org, 920632-done@bugs.debian.org, 920804-done@bugs.debian.org, 921107-done@bugs.debian.org, 921117-done@bugs.debian.org, 921281-done@bugs.debian.org, 921475-done@bugs.debian.org, 921620-done@bugs.debian.org, 921642-done@bugs.debian.org, 921643-done@bugs.debian.org, 921743-done@bugs.debian.org, 921811-done@bugs.debian.org, 921825-done@bugs.debian.org, 921844-done@bugs.debian.org, 921857-done@bugs.debian.org, 921864-done@bugs.debian.org, 921876-done@bugs.debian.org, 921885-done@bugs.debian.org, 921893-done@bugs.debian.org, 921907-done@bugs.debian.org, 921908-done@bugs.debian.org, 921910-done@bugs.debian.org, 921911-done@bugs.debian.org, 921997-done@bugs.debian.org, 922221-done@bugs.debian.org
• Subject: Closing bugs for updates included in 9.8
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 16 Feb 2019 11:36:33 +0000
• Message-id: <1550316993.21192.50.camel@adam-barratt.org.uk>

Version: 9.8

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---