LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Btrfs aims for the mainline

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

The 2008 Linux and free software timeline

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

OpenPKG alert OpenPKG-SA-2007.011 (apache)



From:
    	      OpenPKG GmbH <openpkg-noreply@openpkg.com>


To:
    	      openpkg-announce@openpkg.org


Subject:
    	      [OpenPKG-SA-2007.011] OpenPKG Security Advisory (apache)


Date:
    	      Thu, 17 May 2007 20:44:39 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2007.011
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2007.011
Advisory Published:      2007-05-17 20:44 UTC

Issue Id (internal):     OpenPKG-SI-20070329.01
Issue First Created:     2007-03-29
Issue Last Modified:     2007-05-17
Issue Revision:          06
____________________________________________________________________________

Subject Name:            Apache/mod_perl
Subject Summary:         Perl Extension Module for Apache
Subject Home:            http://perl.apache.org/
Subject Versions:        1.* <= 1.29

Vulnerability Id:        CVE-2007-1349
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           denial of service

Description:
    A vulnerability exists [0] in the Apache extension module mod_perl
    [1], which potentially can be exploited by malicious people to
    cause a DoS (Denial of Service). The vulnerability is caused due
    to a regular expression in "PerlRun.pm" that uses the "path_info"
    variable without properly escaping it [2]. This can be exploited to
    cause a DoS by sending requests with specially crafted URLs to a
    vulnerable server [3][4].

References:
    [0] http://www.gossamer-threads.com/lists/modperl/modperl/92739
    [1] http://perl.apache.org/
    [2] http://svn.apache.org/viewvc?view=rev&revision=521582
    [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1349
    [4] http://secunia.com/advisories/24678/
____________________________________________________________________________

Primary Package Name:    apache
Primary Package Home:    http://openpkg.org/go/package/apache

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        apache-1.3.37-E1.0.4
OpenPKG Community        CURRENT           apache-1.3.37-20070329
OpenPKG Community        CURRENT           apache-php4-1.3.37-20070329
____________________________________________________________________________

For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>

iD8DBQFGTKKIZwQuyWG3rjQRAhfEAKDQEc9PK0VID5R9ol6yl2kvb8axKQCfWJv6
+Zwxmn1fB+F0nqnGL5XaGLc=
=3xNo
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenPKG                                             http://openpkg.org
Announcement List                         openpkg-announce@openpkg.org
(Log in to post comments)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds