[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-modperl
Subject: [ANNOUNCE] mod_perl 1.30
From: "Philippe M. Chiasson" <gozer () apache ! org>
Date: 2007-03-30 6:58:54
Message-ID: 05759158-AFBE-44BA-B4A2-27EFF1081366 () apache ! org
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
The URL
http://apache.org/dyn/closer.cgi/perl/mod_perl-1.30.tar.gz
or
http://www.perl.com/CPAN/modules/by-module/Apache/
mod_perl-1.30.tar.gz
has entered CPAN as
file: $CPAN/authors/id/G/GO/GOZER/mod_perl-1.30.tar.gz
size: 389029 bytes
md5: bfd6f6cff1ab1cc3dbb58a236701d169
This release is a security release.
This is the first release in a long while, and even though it was
triggered by an important security issue,a it also includes a good
collection of bug fixes, so upgrading is doubly a good idea!
URL regular expression DoS (CVE-2007-1349)
A flaw was discovered in the Apache::PerlRun module shipped with
mod_perl 1.29 and earlier and in the ModPerl::RegistryCooker module
shipped with mod_perl 2.03 and earlier. A remote attacker could craft
a URL with a path that would be interpreted as a regular expression,
potentially allowing a denial of service by creating an expression
that will take a very long time to run. This vulnerability only
affects Apache::PerlRun and custom subclasses of
ModPerl::RegistryCooker that explicitly use the namespace_from_uri()
method. The Apache::Registry, ModPerl::PerlRun, and ModPerl::Registry
modules are NOT affected.
Users of mod_perl 1.29 and earlier are encouraged to upgrade to 1.30
if they use Apache::PerlRun for their applications.
Changes since 1.29:
SECURITY: CVE-2007-1349 (cve.mitre.org)
fix unescaped variable interpolation in Apache::PerlRun
regular expression to prevent regex engine tampering.
reported by Alex Solovey
[Randal L. Schwartz <merlyn@stonehenge.com>, Fred Moyer
<fred@redhotpenguin.com>]
sync Apache-SizeLimit with latest version from CPAN (0.91)
[Philip M. Gollucci, Philippe M. Chiasson]
Fix an Apache::(Registry|PerlRun) bug caused by special characters
in the url [kolya@mail.ru]
Display a more verbose message if Apache.pm can't be loaded
[Geoffrey Young]
Fix incorrect win32 detection in Apache::SizeLimit reported by
Matt Phillips <mphillips@virage.com> [Philippe M. Chiasson]
The print-a-scalar-reference feature is now deprecated and documented
as such [Stas]
fix "PerlSetVar Foo 0" so that $r->dir_config('Foo') returns 0, not
undef
[Geoffrey Young]
for some reason .pm files during the modperl build see $ENV{PERL5LIB}
set in Makefile.PL, which is used for generating Makefiles, as
"PERL5LIB=/path:/another/path" instead of "/path:/another/path"
essentially rendering this env var useless. I'm not sure why, may be
MakeMaker kicks in somewhere. Trying to workaround by
s/PERL5LIB/PERL5LIB_ENV/, using anything that's not PERL5LIB. [Stas]
change $INC{$key} = undef; to delete $INC{$key}; in PerlFreshRestart
[Geoffrey Young]
Fix a bug in Makefile.PL for Win32 where it would, in
certain cases, pick up the wrong Perl include directory
[Steve Hay]
------------------------------------------------------------------------
Philippe M. Chiasson GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5
http://gozer.ectoplasm.org/ m/gozer\@(apache|cpan|ectoplasm)\.org/
[Attachment #5 (unknown)]
<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: \
after-white-space; "><DIV>The URL</DIV><DIV><BR></DIV><DIV> <A \
href="http://apache.org/dyn/closer.cgi/perl/mod_perl-1.30.tar.gz">http://apache.org/dyn/closer.cgi/perl/mod_perl-1.30.tar.gz</A></DIV><DIV> \
or</DIV><DIV> <A href="http://www.perl.com/CPAN/modules/by-module/Apache/mod_perl-1.3 \
0.tar.gz">http://www.perl.com/CPAN/modules/by-module/Apache/mod_perl-1.30.tar.gz</A></DIV><DIV><BR></DIV><DIV>has \
entered CPAN as</DIV><DIV><BR></DIV><DIV> file: \
$CPAN/authors/id/G/GO/GOZER/mod_perl-1.30.tar.gz</DIV><DIV> size: 389029 \
bytes</DIV><DIV> md5: \
bfd6f6cff1ab1cc3dbb58a236701d169</DIV><DIV><BR></DIV><DIV>This release is a security \
release.</DIV><DIV><BR></DIV><DIV>This is the first release in a long while, and even \
though it was</DIV><DIV>triggered by an important security issue,a it also includes a \
good</DIV><DIV>collection of bug fixes, so upgrading is doubly a good \
idea!</DIV><DIV><BR></DIV><DIV>URL regular expression DoS \
(CVE-2007-1349)</DIV><DIV><BR></DIV><DIV>A flaw was discovered in the Apache::PerlRun \
module shipped with mod_perl 1.29 and earlier and in the ModPerl::RegistryCooker \
module shipped with mod_perl 2.03 and earlier. A remote attacker could craft a URL \
with a path that would be interpreted as a regular expression, potentially allowing a \
denial of service by creating an expression that will take a very long time to run. \
This vulnerability only affects Apache::PerlRun and custom subclasses of \
ModPerl::RegistryCooker that explicitly use the namespace_from_uri() method. The \
Apache::Registry, ModPerl::PerlRun, and ModPerl::Registry modules are NOT \
affected.</DIV><DIV><BR></DIV><DIV>Users of mod_perl 1.29 and earlier are encouraged \
to upgrade to 1.30 if they use Apache::PerlRun for their \
applications.</DIV><DIV><BR></DIV><DIV>Changes since \
1.29:</DIV><DIV><BR></DIV><DIV>SECURITY: CVE-2007-1349 (cve.mitre.org)</DIV><DIV>fix \
unescaped variable interpolation in Apache::PerlRun</DIV><DIV>regular expression to \
prevent regex engine tampering.</DIV><DIV>reported by Alex Solovey</DIV><DIV>[Randal \
L. Schwartz <<A href="mailto:merlyn@stonehenge.com">merlyn@stonehenge.com</A>>, \
Fred Moyer <<A href="mailto:fred@redhotpenguin.com">fred@redhotpenguin.com</A>>]</DIV><DIV><BR></DIV><DIV>sync \
Apache-SizeLimit with latest version from CPAN (0.91)</DIV><DIV>[Philip M. Gollucci, \
Philippe M. Chiasson]</DIV><DIV><BR></DIV><DIV>Fix an Apache::(Registry|PerlRun) bug \
caused by special characters</DIV><DIV>in the url [<A \
href="mailto:kolya@mail.ru">kolya@mail.ru</A>]</DIV><DIV><BR></DIV><DIV>Display a \
more verbose message if Apache.pm can't be loaded</DIV><DIV>[Geoffrey \
Young]</DIV><DIV><BR></DIV><DIV>Fix incorrect win32 detection in Apache::SizeLimit \
reported by</DIV><DIV>Matt Phillips <<A \
href="mailto:mphillips@virage.com">mphillips@virage.com</A>> [Philippe M. \
Chiasson]</DIV><DIV><BR></DIV><DIV>The print-a-scalar-reference feature is now \
deprecated and documented</DIV><DIV>as such [Stas]</DIV><DIV><BR></DIV><DIV>fix \
"PerlSetVar Foo 0" so that $r->dir_config('Foo') returns 0, not \
undef</DIV><DIV>[Geoffrey Young]</DIV><DIV><BR></DIV><DIV>for some reason .pm files \
during the modperl build see $ENV{PERL5LIB}</DIV><DIV>set in Makefile.PL, which is \
used for generating Makefiles, as</DIV><DIV>"PERL5LIB=/path:/another/path" instead of \
"/path:/another/path"</DIV><DIV>essentially rendering this env var useless. I'm not \
sure why, may be</DIV><DIV>MakeMaker kicks in somewhere. Trying to workaround \
by</DIV><DIV>s/PERL5LIB/PERL5LIB_ENV/, using anything that's not PERL5LIB. \
[Stas]</DIV><DIV><BR></DIV><DIV>change $INC{$key} = undef; to delete $INC{$key}; in \
PerlFreshRestart</DIV><DIV>[Geoffrey Young]</DIV><DIV><BR></DIV><DIV>Fix a bug in \
Makefile.PL for Win32 where it would, in</DIV><DIV>certain cases, pick up the wrong \
Perl include directory</DIV><DIV>[Steve Hay]</DIV><BR><DIV> <SPAN \
class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px 0px; \
color: rgb(0, 0, 0); font-family: Monaco; font-size: 12px; font-style: normal; \
font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: \
normal; text-align: auto; -khtml-text-decorations-in-effect: none; text-indent: 0px; \
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; \
widows: 2; word-spacing: 0px; \
"><DIV>------------------------------------------------------------------------</DIV><DIV>Philippe \
M. Chiasson GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5</DIV><DIV><A \
href="http://gozer.ectoplasm.org">http://gozer.ectoplasm.org</A>/ \
m/gozer\@(apache|cpan|ectoplasm)\.org/</DIV><BR \
class="Apple-interchange-newline"></SPAN> </DIV><BR></BODY></HTML>
["PGP.sig" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic