[Security Announce] [ MDKSA-2007:083 ] - Updated apache-mod_perl packages fix DoS vulnerability
Posted on: 04/11/2007 09:25 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:083
http://www.mandriva.com/security/
_______________________________________________________________________

Package : apache-mod_perl
Date : April 11, 2007
Affected: 2006.0, 2007.0, 2007.1, Corporate 3.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

PerlRun.pm in Apache mod_perl 1.30 and earlier, and RegistryCooker.pm
in mod_perl 2.x, does not properly escape PATH_INFO before use in a
regular expression, which allows remote attackers to cause a denial
of service (resource consumption) via a crafted URI.

Updated packages have been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1349
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
36fc6ebd1647bf1cd0d404f19342ad7e 2006.0/i586/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.i586.rpm
02dce36084140d70e829e47d960ea576 2006.0/i586/apache-mod_perl-devel-2.0.54_2.0.1-6.1.20060mdk.i586.rpm
0b880a7578f7f0d4378f9e21204696c9 2006.0/SRPMS/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
fa69d3b6658b440e244404c8a27dc31a 2006.0/x86_64/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.x86_64.rpm
e2cd324ddefb059d9e15c7cf29378dd6 2006.0/x86_64/apache-mod_perl-devel-2.0.54_2.0.1-6.1.20060mdk.x86_64.rpm
0b880a7578f7f0d4378f9e21204696c9 2006.0/SRPMS/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.src.rpm

Mandriva Linux 2007.0:
a5144771fa71b818e2d89f8c417c5243 2007.0/i586/apache-mod_perl-2.0.2-8.1mdv2007.0.i586.rpm
a165f6820d6c1ffd2cfc671aa2a44310 2007.0/i586/apache-mod_perl-devel-2.0.2-8.1mdv2007.0.i586.rpm
a3829703a55a306a1132d496e63ec652 2007.0/SRPMS/apache-mod_perl-2.0.2-8.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
af928b60d4291c583bad0f4c04ca6169 2007.0/x86_64/apache-mod_perl-2.0.2-8.1mdv2007.0.x86_64.rpm
e54445500f5ca4a28a3a4bbb2223d792 2007.0/x86_64/apache-mod_perl-devel-2.0.2-8.1mdv2007.0.x86_64.rpm
a3829703a55a306a1132d496e63ec652 2007.0/SRPMS/apache-mod_perl-2.0.2-8.1mdv2007.0.src.rpm

Mandriva Linux 2007.1:
e52c43b0f7a66915e4c76aae38d3877b 2007.1/i586/apache-mod_perl-2.0.3-3.1mdv2007.1.i586.rpm
01fcca2beb3f2c79d9f4ac8aae13c631 2007.1/i586/apache-mod_perl-devel-2.0.3-3.1mdv2007.1.i586.rpm
3d752f5e1d08baf118da6ce8407a4ee7 2007.1/SRPMS/apache-mod_perl-2.0.3-3.1mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
e969fb39acb7ce53cf8528fbc6283a9d 2007.1/x86_64/apache-mod_perl-2.0.3-3.1mdv2007.1.x86_64.rpm
4d43ab40be1bd7b404866ae0af6e2663 2007.1/x86_64/apache-mod_perl-devel-2.0.3-3.1mdv2007.1.x86_64.rpm
3d752f5e1d08baf118da6ce8407a4ee7 2007.1/SRPMS/apache-mod_perl-2.0.3-3.1mdv2007.1.src.rpm

Corporate 3.0:
e5e446755e5b3b403e573ee356bd01be corporate/3.0/i586/HTML-Embperl-1.3.29_1.3.6-3.2.C30mdk.i586.rpm
1399d977fdae6085bc59102b8577c052 corporate/3.0/i586/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.i586.rpm
c49b2f2564a381aa22dd02b9d4f7c607 corporate/3.0/i586/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.i586.rpm
f2534e8cd62267e0cfffb147323e816c corporate/3.0/i586/apache2-mod_perl-devel-2.0.48_1.99_11-3.1.C30mdk.i586.rpm
cd85d71d94598d066a912b57ea8b1534 corporate/3.0/i586/mod_perl-common-1.3.29_1.29-3.2.C30mdk.i586.rpm
32700fd599acc6d2e012f00155586bc1 corporate/3.0/i586/mod_perl-devel-1.3.29_1.29-3.2.C30mdk.i586.rpm
0ff32be9c7e314b93142b25c0ccfc3ff corporate/3.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.src.rpm
672b33503464c59bdda5025f1004ab0b corporate/3.0/SRPMS/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
afc8e04510079792d9bf6a2c43dad3cf corporate/3.0/x86_64/HTML-Embperl-1.3.29_1.3.6-3.2.C30mdk.x86_64.rpm
35977f84e3a1ce37e0f5a50814675c7a corporate/3.0/x86_64/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.x86_64.rpm
a8c7bd9351bcc6c83b204646df7bffdd corporate/3.0/x86_64/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.x86_64.rpm
397ad0e9ea70f6f0bcdae436b7dd4e53 corporate/3.0/x86_64/apache2-mod_perl-devel-2.0.48_1.99_11-3.1.C30mdk.x86_64.rpm
42c4e59c5174e84b7b7659de0f6d0b3e corporate/3.0/x86_64/mod_perl-common-1.3.29_1.29-3.2.C30mdk.x86_64.rpm
7acc7a6c50b41a4c9900910a0c1b3ec0 corporate/3.0/x86_64/mod_perl-devel-1.3.29_1.29-3.2.C30mdk.x86_64.rpm
0ff32be9c7e314b93142b25c0ccfc3ff corporate/3.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.src.rpm
672b33503464c59bdda5025f1004ab0b corporate/3.0/SRPMS/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.src.rpm

Corporate 4.0:
c7dbc8d2b1f4a7959cc8ba28b229512c corporate/4.0/i586/apache-mod_perl-2.0.2-8.1.20060mlcs4.i586.rpm
88e16a7e0755a3a1fe987f6f2c44336c corporate/4.0/i586/apache-mod_perl-devel-2.0.2-8.1.20060mlcs4.i586.rpm
b540d29b6047b936c56df54fc112840a corporate/4.0/SRPMS/apache-mod_perl-2.0.2-8.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
737b44aec85fe3177a10c95e42394f08 corporate/4.0/x86_64/apache-mod_perl-2.0.2-8.1.20060mlcs4.x86_64.rpm
f0244a54e2366d511486a2b4a0243ccb corporate/4.0/x86_64/apache-mod_perl-devel-2.0.2-8.1.20060mlcs4.x86_64.rpm
b540d29b6047b936c56df54fc112840a corporate/4.0/SRPMS/apache-mod_perl-2.0.2-8.1.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGHRdnmqjQ0CJFipgRAmM3AJ0dCUFSNgHIopnkGxxq7QmSq14USACgzUh5
ZiE5MNK/HPOqatceHTXd/fk=
=VF/5
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007083__updated_apache_mod_perl_packages_fix_dos_vulnerability.html)