Your message dated Thu, 21 Mar 2013 22:02:05 +0000
with message-id <[email protected]>
and subject line Bug#702821: fixed in libapache2-mod-perl2 2.0.4-7+squeeze1
has caused the Debian Bug report #702821,
regarding libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks
t/perl/hash_attack.t
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
702821: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702821
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libapache2-mod-perl2
Version: 2.0.7-2
Severity: serious
Control: found -1 2.0.4-7
X-Debbugs-Cc: [email protected], [email protected]
As noted on the modperl users list in
http://mail-archives.apache.org/mod_mbox/perl-modperl/201303.mbox/%[email protected]%3E
the perl fix for CVE-2013-1667 (rehashing flaw) makes t/perl/hash_attack.t
in libapache2-mod-perl2 fail, so the latter package now fails to build
from source.
Verified on both squeeze and sid/wheezy.
t/perl/api.t ............................ ok
request has failed (the response code was: 500)
see t/logs/error_log for more details
t/perl/hash_attack.t ....................
Dubious, test returned 255 (wstat 65280, 0xff00)
Failed 1/1 subtests
[...]
Result: FAIL
Failed 1/242 test programs. 0/3534 subtests failed.
No patch yet, but according to Steve Hay in the above message
there is one floating around:
> I have seen a patch for it on the perl5-security list, and will
> hopefully apply it soon.
so it's probably best to wait a moment before disabling the test.
FWIW the SVN repository is at
svn co https://svn.apache.org/repos/asf/perl/modperl/trunk
and can be browsed at
http://svn.apache.org/viewvc/perl/modperl/trunk/
Cc'ing the security team. Once we have a fix, I suppose we'll need to
fix libapache2-mod-perl2 via stable-security?
--
Niko Tyni [email protected]
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-perl2
Source-Version: 2.0.4-7+squeeze1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated libapache2-mod-perl2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 Mar 2013 15:17:51 +0000
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: source all i386
Version: 2.0.4-7+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description:
libapache2-mod-perl2 - Integration of perl with the Apache2 web server
libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server -
development fil
libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server -
documentation
Closes: 702821
Changes:
libapache2-mod-perl2 (2.0.4-7+squeeze1) stable-security; urgency=high
.
* Fix FTBFS with versions of perl including the CVE-2013-1667
fix (Closes: #702821)
Checksums-Sha1:
9277de34cb90a39367248b6f82cc58ef3c75f4cf 1900
libapache2-mod-perl2_2.0.4-7+squeeze1.dsc
65299a16ec414a690a48a2bbe63acaa3c6bb897b 3727717
libapache2-mod-perl2_2.0.4.orig.tar.gz
813d2f6fb3fad4a6eb2ed31f99ea46a6f7a56f41 18411
libapache2-mod-perl2_2.0.4-7+squeeze1.diff.gz
260e1c5de026de1ac1ef345f096f6dde166d2abc 78988
libapache2-mod-perl2-dev_2.0.4-7+squeeze1_all.deb
d7f665b185d32871bbd9bc8825b2becbf4ece727 3126440
libapache2-mod-perl2-doc_2.0.4-7+squeeze1_all.deb
a588c5324bb7c7448ee0b235d1c3a4df4cf290c3 1077794
libapache2-mod-perl2_2.0.4-7+squeeze1_i386.deb
Checksums-Sha256:
0b27ab83affb43de168d59433b7602c99ec1307519cba78915b766871397f147 1900
libapache2-mod-perl2_2.0.4-7+squeeze1.dsc
7da2046aa65dbef64ff5b71400bed4b6b82441e6313c8ca4becb85fb4a89a0f0 3727717
libapache2-mod-perl2_2.0.4.orig.tar.gz
61d3c22c9cbb0ac68427fac8e5a52ede6b86b4242a6f7d6cb130f8b43ddbe05e 18411
libapache2-mod-perl2_2.0.4-7+squeeze1.diff.gz
5d7393b2a63e9c496776192e817800eec236a0d02be3117d1a8a24626244722c 78988
libapache2-mod-perl2-dev_2.0.4-7+squeeze1_all.deb
c47a8a5afd0e729bd7cd1165f465a5dd8552610553b6fa115a47530d44c05eb2 3126440
libapache2-mod-perl2-doc_2.0.4-7+squeeze1_all.deb
dfa7aabf4a70f2400739d7ecba6998caf905cefa06a3a4e85f45b6f18bc00ff5 1077794
libapache2-mod-perl2_2.0.4-7+squeeze1_i386.deb
Files:
33b46b6f7c1b027f3440e5c50ebcf4be 1900 httpd optional
libapache2-mod-perl2_2.0.4-7+squeeze1.dsc
1a05625ae6843085f985f5da8214502a 3727717 httpd optional
libapache2-mod-perl2_2.0.4.orig.tar.gz
881062a0a611317f57d24c00bf03e7bc 18411 httpd optional
libapache2-mod-perl2_2.0.4-7+squeeze1.diff.gz
d1eb6a47b76c60d29096819531cee11b 78988 libdevel optional
libapache2-mod-perl2-dev_2.0.4-7+squeeze1_all.deb
06e14fb442214940d528fe8cc46e5b5b 3126440 doc optional
libapache2-mod-perl2-doc_2.0.4-7+squeeze1_all.deb
f23cc58eb4855e8fbe05bbc8e1e856f0 1077794 httpd optional
libapache2-mod-perl2_2.0.4-7+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFRRLJ6YzuFKFF44qURApVqAKCYeNrdWn/INQFof4aO3bwiU7pNSwCgw/UI
YJED6DTYzyynOR2ZdVmOYqw=
=HsT+
-----END PGP SIGNATURE-----
--- End Message ---
