Support / Security / Advisories / Corporate Server 4.0 / MDKSA-2007:083

Package name: apache-mod_perl
Date: 2007-04-11
Advisory ID: MDKSA-2007:083
Affected versions: CS4.0 x86_64 , 2006.0 i586 , 2007.0 x86_64 , 2007.1 i586 , 2007.0 i586 , CS3.0 x86_64 , CS4.0 i586 , CS3.0 i586 , 2006.0 x86_64 , 2007.1 x86_64

Problem description

PerlRun.pm in Apache mod_perl 1.30 and earlier, and RegistryCooker.pm
in mod_perl 2.x, does not properly escape PATH_INFO before use in a
regular expression, which allows remote attackers to cause a denial
of service (resource consumption) via a crafted URI.

Updated packages have been patched to correct this issue.

Updated packages

CS4.0 x86_64

 737b44aec85fe3177a10c95e42394f08  corporate/4.0/x86_64/apache-mod_perl-2.0.2-8.1.20060mlcs4.x86_64.rpm
 f0244a54e2366d511486a2b4a0243ccb  corporate/4.0/x86_64/apache-mod_perl-devel-2.0.2-8.1.20060mlcs4.x86_64.rpm 
 b540d29b6047b936c56df54fc112840a  corporate/4.0/SRPMS/apache-mod_perl-2.0.2-8.1.20060mlcs4.src.rpm

2006.0 i586

 36fc6ebd1647bf1cd0d404f19342ad7e  2006.0/i586/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.i586.rpm
 02dce36084140d70e829e47d960ea576  2006.0/i586/apache-mod_perl-devel-2.0.54_2.0.1-6.1.20060mdk.i586.rpm 
 0b880a7578f7f0d4378f9e21204696c9  2006.0/SRPMS/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.src.rpm

2007.0 x86_64

 af928b60d4291c583bad0f4c04ca6169  2007.0/x86_64/apache-mod_perl-2.0.2-8.1mdv2007.0.x86_64.rpm
 e54445500f5ca4a28a3a4bbb2223d792  2007.0/x86_64/apache-mod_perl-devel-2.0.2-8.1mdv2007.0.x86_64.rpm 
 a3829703a55a306a1132d496e63ec652  2007.0/SRPMS/apache-mod_perl-2.0.2-8.1mdv2007.0.src.rpm

2007.1 i586

 e52c43b0f7a66915e4c76aae38d3877b  2007.1/i586/apache-mod_perl-2.0.3-3.1mdv2007.1.i586.rpm
 01fcca2beb3f2c79d9f4ac8aae13c631  2007.1/i586/apache-mod_perl-devel-2.0.3-3.1mdv2007.1.i586.rpm 
 3d752f5e1d08baf118da6ce8407a4ee7  2007.1/SRPMS/apache-mod_perl-2.0.3-3.1mdv2007.1.src.rpm

2007.0 i586

 a5144771fa71b818e2d89f8c417c5243  2007.0/i586/apache-mod_perl-2.0.2-8.1mdv2007.0.i586.rpm
 a165f6820d6c1ffd2cfc671aa2a44310  2007.0/i586/apache-mod_perl-devel-2.0.2-8.1mdv2007.0.i586.rpm 
 a3829703a55a306a1132d496e63ec652  2007.0/SRPMS/apache-mod_perl-2.0.2-8.1mdv2007.0.src.rpm

CS3.0 x86_64

 afc8e04510079792d9bf6a2c43dad3cf  corporate/3.0/x86_64/HTML-Embperl-1.3.29_1.3.6-3.2.C30mdk.x86_64.rpm
 35977f84e3a1ce37e0f5a50814675c7a  corporate/3.0/x86_64/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.x86_64.rpm
 a8c7bd9351bcc6c83b204646df7bffdd  corporate/3.0/x86_64/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.x86_64.rpm
 397ad0e9ea70f6f0bcdae436b7dd4e53  corporate/3.0/x86_64/apache2-mod_perl-devel-2.0.48_1.99_11-3.1.C30mdk.x86_64.rpm
 42c4e59c5174e84b7b7659de0f6d0b3e  corporate/3.0/x86_64/mod_perl-common-1.3.29_1.29-3.2.C30mdk.x86_64.rpm
 7acc7a6c50b41a4c9900910a0c1b3ec0  corporate/3.0/x86_64/mod_perl-devel-1.3.29_1.29-3.2.C30mdk.x86_64.rpm 
 0ff32be9c7e314b93142b25c0ccfc3ff  corporate/3.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.src.rpm
 672b33503464c59bdda5025f1004ab0b  corporate/3.0/SRPMS/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.src.rpm

CS4.0 i586

 c7dbc8d2b1f4a7959cc8ba28b229512c  corporate/4.0/i586/apache-mod_perl-2.0.2-8.1.20060mlcs4.i586.rpm
 88e16a7e0755a3a1fe987f6f2c44336c  corporate/4.0/i586/apache-mod_perl-devel-2.0.2-8.1.20060mlcs4.i586.rpm 
 b540d29b6047b936c56df54fc112840a  corporate/4.0/SRPMS/apache-mod_perl-2.0.2-8.1.20060mlcs4.src.rpm

CS3.0 i586

 e5e446755e5b3b403e573ee356bd01be  corporate/3.0/i586/HTML-Embperl-1.3.29_1.3.6-3.2.C30mdk.i586.rpm
 1399d977fdae6085bc59102b8577c052  corporate/3.0/i586/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.i586.rpm
 c49b2f2564a381aa22dd02b9d4f7c607  corporate/3.0/i586/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.i586.rpm
 f2534e8cd62267e0cfffb147323e816c  corporate/3.0/i586/apache2-mod_perl-devel-2.0.48_1.99_11-3.1.C30mdk.i586.rpm
 cd85d71d94598d066a912b57ea8b1534  corporate/3.0/i586/mod_perl-common-1.3.29_1.29-3.2.C30mdk.i586.rpm
 32700fd599acc6d2e012f00155586bc1  corporate/3.0/i586/mod_perl-devel-1.3.29_1.29-3.2.C30mdk.i586.rpm 
 0ff32be9c7e314b93142b25c0ccfc3ff  corporate/3.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.2.C30mdk.src.rpm
 672b33503464c59bdda5025f1004ab0b  corporate/3.0/SRPMS/apache2-mod_perl-2.0.48_1.99_11-3.1.C30mdk.src.rpm

2006.0 x86_64

 fa69d3b6658b440e244404c8a27dc31a  2006.0/x86_64/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.x86_64.rpm
 e2cd324ddefb059d9e15c7cf29378dd6  2006.0/x86_64/apache-mod_perl-devel-2.0.54_2.0.1-6.1.20060mdk.x86_64.rpm 
 0b880a7578f7f0d4378f9e21204696c9  2006.0/SRPMS/apache-mod_perl-2.0.54_2.0.1-6.1.20060mdk.src.rpm

2007.1 x86_64

 e969fb39acb7ce53cf8528fbc6283a9d  2007.1/x86_64/apache-mod_perl-2.0.3-3.1mdv2007.1.x86_64.rpm
 4d43ab40be1bd7b404866ae0af6e2663  2007.1/x86_64/apache-mod_perl-devel-2.0.3-3.1mdv2007.1.x86_64.rpm 
 3d752f5e1d08baf118da6ce8407a4ee7  2007.1/SRPMS/apache-mod_perl-2.0.3-3.1mdv2007.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1349