The URL
http://apache.org/dyn/closer.cgi/perl/mod_perl-1.30.tar.gz
or
http://www.perl.com/CPAN/modules/by-module/Apache/
mod_perl-1.30.tar.gz
has entered CPAN as
file: $CPAN/authors/id/G/GO/GOZER/mod_perl-1.30.tar.gz
size: 389029 bytes
md5: bfd6f6cff1ab1cc3dbb58a236701d169
This release is a security release.
This is the first release in a long while, and even though it was
triggered by an important security issue,a it also includes a good
collection of bug fixes, so upgrading is doubly a good idea!
URL regular expression DoS (CVE-2007-1349)
A flaw was discovered in the Apache::PerlRun module shipped with
mod_perl 1.29 and earlier and in the ModPerl::RegistryCooker module
shipped with mod_perl 2.03 and earlier. A remote attacker could craft
a URL with a path that would be interpreted as a regular expression,
potentially allowing a denial of service by creating an expression
that will take a very long time to run. This vulnerability only
affects Apache::PerlRun and custom subclasses of
ModPerl::RegistryCooker that explicitly use the namespace_from_uri()
method. The Apache::Registry, ModPerl::PerlRun, and ModPerl::Registry
modules are NOT affected.
Users of mod_perl 1.29 and earlier are encouraged to upgrade to 1.30
if they use Apache::PerlRun for their applications.
Changes since 1.29:
SECURITY: CVE-2007-1349 (cve.mitre.org)
fix unescaped variable interpolation in Apache::PerlRun
regular expression to prevent regex engine tampering.
reported by Alex Solovey
[Randal L. Schwartz <merlyn@stonehenge.com>, Fred Moyer
<fred@redhotpenguin.com>]
sync Apache-SizeLimit with latest version from CPAN (0.91)
[Philip M. Gollucci, Philippe M. Chiasson]
Fix an Apache::(Registry|PerlRun) bug caused by special characters
in the url [kolya@mail.ru]
Display a more verbose message if Apache.pm can't be loaded
[Geoffrey Young]
Fix incorrect win32 detection in Apache::SizeLimit reported by
Matt Phillips <mphillips@virage.com> [Philippe M. Chiasson]
The print-a-scalar-reference feature is now deprecated and documented
as such [Stas]
fix "PerlSetVar Foo 0" so that $r->dir_config('Foo') returns 0, not
undef
[Geoffrey Young]
for some reason .pm files during the modperl build see $ENV{PERL5LIB}
set in Makefile.PL, which is used for generating Makefiles, as
"PERL5LIB=/path:/another/path" instead of "/path:/another/path"
essentially rendering this env var useless. I'm not sure why, may be
MakeMaker kicks in somewhere. Trying to workaround by
s/PERL5LIB/PERL5LIB_ENV/, using anything that's not PERL5LIB. [Stas]
change $INC{$key} = undef; to delete $INC{$key}; in PerlFreshRestart
[Geoffrey Young]
Fix a bug in Makefile.PL for Win32 where it would, in
certain cases, pick up the wrong Perl include directory
[Steve Hay]
------------------------------------------------------------------------
Philippe M. Chiasson GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5
http://gozer.ectoplasm.org/ m/gozer\@(apache|cpan|ectoplasm)\.org/
http://apache.org/dyn/closer.cgi/perl/mod_perl-1.30.tar.gz
or
http://www.perl.com/CPAN/modules/by-module/Apache/
mod_perl-1.30.tar.gz
has entered CPAN as
file: $CPAN/authors/id/G/GO/GOZER/mod_perl-1.30.tar.gz
size: 389029 bytes
md5: bfd6f6cff1ab1cc3dbb58a236701d169
This release is a security release.
This is the first release in a long while, and even though it was
triggered by an important security issue,a it also includes a good
collection of bug fixes, so upgrading is doubly a good idea!
URL regular expression DoS (CVE-2007-1349)
A flaw was discovered in the Apache::PerlRun module shipped with
mod_perl 1.29 and earlier and in the ModPerl::RegistryCooker module
shipped with mod_perl 2.03 and earlier. A remote attacker could craft
a URL with a path that would be interpreted as a regular expression,
potentially allowing a denial of service by creating an expression
that will take a very long time to run. This vulnerability only
affects Apache::PerlRun and custom subclasses of
ModPerl::RegistryCooker that explicitly use the namespace_from_uri()
method. The Apache::Registry, ModPerl::PerlRun, and ModPerl::Registry
modules are NOT affected.
Users of mod_perl 1.29 and earlier are encouraged to upgrade to 1.30
if they use Apache::PerlRun for their applications.
Changes since 1.29:
SECURITY: CVE-2007-1349 (cve.mitre.org)
fix unescaped variable interpolation in Apache::PerlRun
regular expression to prevent regex engine tampering.
reported by Alex Solovey
[Randal L. Schwartz <merlyn@stonehenge.com>, Fred Moyer
<fred@redhotpenguin.com>]
sync Apache-SizeLimit with latest version from CPAN (0.91)
[Philip M. Gollucci, Philippe M. Chiasson]
Fix an Apache::(Registry|PerlRun) bug caused by special characters
in the url [kolya@mail.ru]
Display a more verbose message if Apache.pm can't be loaded
[Geoffrey Young]
Fix incorrect win32 detection in Apache::SizeLimit reported by
Matt Phillips <mphillips@virage.com> [Philippe M. Chiasson]
The print-a-scalar-reference feature is now deprecated and documented
as such [Stas]
fix "PerlSetVar Foo 0" so that $r->dir_config('Foo') returns 0, not
undef
[Geoffrey Young]
for some reason .pm files during the modperl build see $ENV{PERL5LIB}
set in Makefile.PL, which is used for generating Makefiles, as
"PERL5LIB=/path:/another/path" instead of "/path:/another/path"
essentially rendering this env var useless. I'm not sure why, may be
MakeMaker kicks in somewhere. Trying to workaround by
s/PERL5LIB/PERL5LIB_ENV/, using anything that's not PERL5LIB. [Stas]
change $INC{$key} = undef; to delete $INC{$key}; in PerlFreshRestart
[Geoffrey Young]
Fix a bug in Makefile.PL for Win32 where it would, in
certain cases, pick up the wrong Perl include directory
[Steve Hay]
------------------------------------------------------------------------
Philippe M. Chiasson GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5
http://gozer.ectoplasm.org/ m/gozer\@(apache|cpan|ectoplasm)\.org/