Your message dated Thu, 15 Nov 2018 20:40:57 +0000
with message-id <[email protected]>
and subject line Bug#644169: fixed in libapache2-mod-perl2 2.0.10-3
has caused the Debian Bug report #644169,
regarding libapache2-mod-perl2: PerlOptions -Sections not permitted in server
config, but should be
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
644169: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libapache2-mod-perl2
Version: 2.0.4-7
Severity: important
I'm unable to disable <Perl> sections, as described here:
http://perl.apache.org/docs/2.0/user/config/config.html#C_Perl_Handler_
Note: all configuration options below and screen output is indented by
two spaces intentionally. Comments are not indented.
So, according to the documentation, I should be able to simply place
the following in the server configuration.
PerlOption -Sections
When the option is placed in the server configuration, the following error
message is printed to screen when using apache2ctl configtest:
Syntax error on line 10 of /etc/apache2/conf.d/all_vhosts:
Invalid per-server PerlOption: Sections
Action 'configtest' failed.
The Apache error log may have more information.
The apache error log does not have any information.
This option is not allowed in per-directory configurations, and if I
try to do so, Apache provides the following error message (IP address
and path mangled):
[Mon Oct 03 16:11:28 2011] [alert] [client aaa.bbb.ccc.ddd]
/home/dir/.htaccess: Invalid per-directory PerlOption: Sections (only allowed
per-server)
As far as I can tell from the changelog, nothing has changed regarding
this part of mod_perl 2 that would affect this feature between 2.0.4
(the version in Debian squeeze) and 2.0.5 (the current best version).
Updating to 2.0.5 from testing is not an option, because of eager
dependencies to newer versions of other packages.
For my use, this bug is a security problem, as it makes it impossible
to include mod_perl code to manage the Apache API in server
configurations without permitting users to run Perl code in the same
server, unless you also disable per-user configuration in .htaccess,
which breaks other useful functionality.
-- Package-specific info:
-------------8<---------- Start Bug Report ------------8<----------
1. Problem Description:
[DESCRIBE THE PROBLEM HERE]
2. Used Components and their Configuration:
*** mod_perl version 2.000004
*** using /usr/lib/perl5/Apache2/BuildConfig.pm
*** Makefile.PL options:
MP_APR_LIB => aprext
MP_APXS => /usr/bin/apxs2
MP_CCOPTS => -g -Wall
MP_COMPAT_1X => 1
MP_GENERATE_XS => 1
MP_INCLUDE_DIR => /usr/include/apache2 /usr/include/apr-1.0
MP_LIBNAME => mod_perl
MP_TRACE => 0
MP_USE_DSO => 1
MP_USE_GTOP => 1
MP_USE_STATIC => 0
*** The httpd binary was not found
*** (apr|apu)-config linking info
-L/usr/lib -laprutil-1 -ldb
-L/usr/lib -lapr-1
*** /usr/bin/perl -V
Summary of my perl5 (revision 5 version 10 subversion 1) configuration:
Platform:
osname=linux, osvers=2.6.32-5-amd64, archname=x86_64-linux-gnu-thread-multi
uname='linux brahms 2.6.32-5-amd64 #1 smp tue jun 14 09:42:28 utc 2011
x86_64 gnulinux '
config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN
-Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr
-Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr
-Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5
-Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.1
-Dsitearch=/usr/local/lib/perl/5.10.1 -Dman1dir=/usr/share/man/man1
-Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1
-Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl
-Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm
-DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.1
-Dd_dosuid -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=define, usemultiplicity=define
useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
use64bitint=define, use64bitall=define, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing
-pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
optimize='-O2 -g',
cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe
-fstack-protector -I/usr/local/include'
ccversion='', gccversion='4.4.5', gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
perllibs=-ldl -lm -lpthread -lc -lcrypt
libc=/lib/libc-2.11.2.so, so=so, useshrplib=true, libperl=libperl.so.5.10.1
gnulibc_version='2.11.2'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib
-fstack-protector'
Characteristics of this binary (from libperl):
Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV
PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP USE_64_BIT_ALL
USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
USE_PERLIO USE_REENTRANT_API
Locally applied patches:
DEBPKG:debian/arm_thread_stress_timeout - http://bugs.debian.org/501970
Raise the timeout of ext/threads/shared/t/stress.t to accommodate slower build
hosts
DEBPKG:debian/cpan_config_path - Set location of CPAN::Config to
/etc/perl as /usr may not be writable.
DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS
default for modules installed from CPAN.
DEBPKG:debian/db_file_ver - http://bugs.debian.org/340047 Remove overly
restrictive DB_File version check.
DEBPKG:debian/doc_info - Replace generic man(1) instructions with
Debian-specific information.
DEBPKG:debian/enc2xs_inc - http://bugs.debian.org/290336 Tweak enc2xs
to follow symlinks and ignore missing @INC directories.
DEBPKG:debian/errno_ver - http://bugs.debian.org/343351 Remove Errno
version check due to upgrade problems with long-running processes.
DEBPKG:debian/extutils_hacks - Various debian-specific ExtUtils changes
DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the
binary targets.
DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist
files for core or vendor.
DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as
per Debian policy.
DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to
/etc/perl/Net as /usr may not be writable.
DEBPKG:debian/m68k_thread_stress - http://bugs.debian.org/495826
Disable some threads tests on m68k for now due to missing TLS.
DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
DEBPKG:debian/module_build_man_extensions -
http://bugs.debian.org/479460 Adjust Module::Build manual page extensions for
the Debian Perl policy
DEBPKG:debian/perl_synopsis - http://bugs.debian.org/278323 Rearrange
perl.pod
DEBPKG:debian/prune_libs - http://bugs.debian.org/128355 Prune the list
of libraries wanted to what we actually need.
DEBPKG:debian/use_gdbm - Explicitly link against -lgdbm_compat in
ODBM_File/NDBM_File.
DEBPKG:fixes/assorted_docs - http://bugs.debian.org/443733 [384f06a]
Math::BigInt::CalcEmu documentation grammar fix
DEBPKG:fixes/net_smtp_docs - http://bugs.debian.org/100195 [rt.cpan.org
#36038] Document the Net::SMTP 'Port' option
DEBPKG:fixes/processPL - http://bugs.debian.org/357264 [rt.cpan.org
#17224] Always use PERLRUNINST when building perl modules.
DEBPKG:debian/perlivp - http://bugs.debian.org/510895 Make perlivp skip
include directories in /usr/local
DEBPKG:fixes/pod2man-index-backslash - http://bugs.debian.org/521256
Escape backslashes in .IX entries
DEBPKG:debian/disable-zlib-bundling - Disable zlib bundling in
Compress::Raw::Zlib
DEBPKG:fixes/kfreebsd_cppsymbols - http://bugs.debian.org/533098
[3b910a0] Add gcc predefined macros to $Config{cppsymbols} on GNU/kFreeBSD.
DEBPKG:debian/cpanplus_definstalldirs - http://bugs.debian.org/533707
Configure CPANPLUS to use the site directories by default.
DEBPKG:debian/cpanplus_config_path - Save local versions of
CPANPLUS::Config::System into /etc/perl.
DEBPKG:fixes/kfreebsd-filecopy-pipes - http://bugs.debian.org/537555
[16f708c] Fix File::Copy::copy with pipes on GNU/kFreeBSD
DEBPKG:fixes/anon-tmpfile-dir - http://bugs.debian.org/528544 [perl
#66452] Honor TMPDIR when open()ing an anonymous temporary file
DEBPKG:fixes/abstract-sockets - http://bugs.debian.org/329291 [89904c0]
Add support for Abstract namespace sockets.
DEBPKG:fixes/hurd_cppsymbols - http://bugs.debian.org/544307 [eeb92b7]
Add gcc predefined macros to $Config{cppsymbols} on GNU/Hurd.
DEBPKG:fixes/autodie-flock - http://bugs.debian.org/543731 Allow for
flock returning EAGAIN instead of EWOULDBLOCK on linux/parisc
DEBPKG:fixes/archive-tar-instance-error - http://bugs.debian.org/539355
[rt.cpan.org #48879] Separate Archive::Tar instance error strings from each
other
DEBPKG:fixes/positive-gpos - http://bugs.debian.org/545234 [perl
#69056] [c584a96] Fix \G crash on first match
DEBPKG:debian/devel-ppport-ia64-optim - http://bugs.debian.org/548943
Work around an ICE on ia64
DEBPKG:fixes/trie-logic-match - http://bugs.debian.org/552291 [perl
#69973] [0abd0d7] Fix a DoS in Unicode processing [CVE-2009-3626]
DEBPKG:fixes/hppa-thread-eagain - http://bugs.debian.org/554218 make
the threads-shared test suite more robust, fixing failures on hppa
DEBPKG:fixes/crash-on-undefined-destroy - http://bugs.debian.org/564074
[perl #71952] [1f15e67] Fix a NULL pointer dereference when looking for a
DESTROY method
DEBPKG:fixes/tainted-errno - http://bugs.debian.org/574129 [perl
#61976] [be1cf43] fix an errno stringification bug in taint mode
DEBPKG:fixes/safe-upgrade - http://bugs.debian.org/582978 Upgrade
Safe.pm to 2.25, fixing CVE-2010-1974
DEBPKG:fixes/tell-crash - http://bugs.debian.org/578577 [f4817f3] Fix a
tell() crash on bad arguments.
DEBPKG:fixes/format-write-crash - http://bugs.debian.org/579537 [perl
#22977] [421f30e] Fix a crash in format/write
DEBPKG:fixes/arm-alignment - http://bugs.debian.org/289884 [f1c7503]
Prevent gcc from optimizing the alignment test away on armel
DEBPKG:fixes/fcgi-test - Fix a failure in CGI/t/fast.t when FCGI is
installed
DEBPKG:fixes/hurd-ccflags - http://bugs.debian.org/587901 Make
hints/gnu.sh append to $ccflags rather than overriding them
DEBPKG:debian/squelch-locale-warnings - http://bugs.debian.org/508764
Squelch locale warnings in Debian package maintainer scripts
DEBPKG:fixes/lc-numeric-docs - http://bugs.debian.org/379329 [perl
#78452] [903eb63] LC_NUMERIC documentation fixes
DEBPKG:fixes/lc-numeric-sprintf - http://bugs.debian.org/601549 [perl
#78632] [b3fd614] Fix sprintf not to ignore LC_NUMERIC with constants
DEBPKG:fixes/concat-stack-corruption - http://bugs.debian.org/596105
[perl #78674] [e3393f5] Fix stack pointer corruption in pp_concat() with 'use
encoding'
DEBPKG:fixes/cgi-multiline-header - http://bugs.debian.org/606995
[CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline
header vulnerabilities
DEBPKG:fixes/casing-taint-cve-2011-1487 - http://bugs.debian.org/622817
[perl #87336] fix unwanted taint laundering in lc(), uc() et al.
DEBPKG:fixes/safe-reval-rdo-cve-2010-1447 - [PATCH] Wrap by default
coderefs returned by rdo and reval
DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches
for 5.10.1-17squeeze2 in patchlevel.h
Built under linux
Compiled at Jun 30 2011 22:28:00
%ENV:
PERL_LWP_USE_HTTP_10="1"
@INC:
/etc/perl
/usr/local/lib/perl/5.10.1
/usr/local/share/perl/5.10.1
/usr/lib/perl5
/usr/share/perl5
/usr/lib/perl/5.10
/usr/share/perl/5.10
/usr/local/lib/site_perl
.
*** Packages of interest status:
Apache2 : -
Apache2::Request : -
CGI : 3.43, 3.49
ExtUtils::MakeMaker: 6.55_02
LWP : 5.836
mod_perl : -
mod_perl2 : 2.000004
3. This is the core dump trace: (if you get a core dump):
[CORE TRACE COMES HERE]
This report was generated by /usr/share/libapache2-mod-perl2/mp2bug on Mon Oct
3 14:55:40 2011 GMT.
-------------8<---------- End Bug Report --------------8<----------
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-perl2 depends on:
ii apache2 2.2.16-6+squeeze3 Apache HTTP Server metapackage
ii apache2-mpm-worker [ap 2.2.16-6+squeeze3 Apache HTTP Server - high speed th
ii apache2.2-common 2.2.16-6+squeeze3 Apache HTTP Server common files
ii libapr1 1.4.2-6+squeeze3 The Apache Portable Runtime Librar
ii libaprutil1 1.3.9+dfsg-5 The Apache Portable Runtime Utilit
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libdevel-symdump-perl 2.08-3 Perl module for inspecting perl's
ii libperl5.10 5.10.1-17squeeze2 shared Perl library
ii liburi-perl 1.54-2 module to manipulate and access UR
ii libwww-perl 5.836-1 Perl HTTP/WWW client/server librar
ii netbase 4.45 Basic TCP/IP networking system
ii perl [libmime-base64-p 5.10.1-17squeeze2 Larry Wall's Practical Extraction
ii perl-base [perlapi-5.1 5.10.1-17squeeze2 minimal Perl system
Versions of packages libapache2-mod-perl2 recommends:
ii libapache2-reload-perl 0.10-2 Reload Perl modules when changed o
ii libbsd-resource-perl 1.2904-1 BSD process resource limit and pri
libapache2-mod-perl2 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-perl2
Source-Version: 2.0.10-3
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated libapache2-mod-perl2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 15 Nov 2018 19:25:41 +0000
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: source
Version: 2.0.10-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description:
libapache2-mod-perl2 - Integration of perl with the Apache2 web server
libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server -
development fil
libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server -
documentation
Closes: 644169
Changes:
libapache2-mod-perl2 (2.0.10-3) unstable; urgency=medium
.
[ Salvatore Bonaccorso ]
* Update Vcs-* headers for switch to salsa.debian.org
.
[ Xavier Guimard ]
* Patches:
- update format of 0001-Skip-* and 370_http_syntax.patch
- use short link for bugs.d.o in honour-env-LDFLAGS.patch
- update offset in avoid-db-linkage.patch
- add new spelling errors in 200_fix-pod-spelling-errors.patch
* Apache2 license:
- update Apache2 license link
- add required NOTICE file in docs
* dependencies:
- remove useless dependency version to apache2-dev
- remove dh-apache2 from dependencies (alias to apache2-dev)
* Add myself to uploaders
* Declare compliance with policy 4.1.5
* Bump debhelper compatibility to 10
* Add debian/upstream/metadata
* Remove useless --parallel option in debian/rules
* Remove useless Testsuite entry
* Email change: Xavier Guimard -> [email protected]
.
[ Dominic Hargreaves ]
* [SECURITY] CVE-2011-2767: don't allow <Perl> sections in
user controlled configuration (Closes: #644169)
Checksums-Sha1:
8dc4708fa441700689e26ef4bbb0ae0ca129e3ee 2694 libapache2-mod-perl2_2.0.10-3.dsc
55d0e88a6a62b455d5615f1e78f1dce2a20b43cc 28576
libapache2-mod-perl2_2.0.10-3.debian.tar.xz
aa270701ac8565657f1d510eb500ed7272cef14e 7589
libapache2-mod-perl2_2.0.10-3_source.buildinfo
Checksums-Sha256:
c99e9aa6c45953e97909f05e12c0c23c15eb154d2bef17a103b06fde0077549b 2694
libapache2-mod-perl2_2.0.10-3.dsc
8c4058d2028ecbf9e675a9df856a251055da83ffeb9a0742d7452810db7bc254 28576
libapache2-mod-perl2_2.0.10-3.debian.tar.xz
dab6c0c1a0c938ad0b11cd7ffc90f2e23dad1dfd34dafdb3a56923de90723631 7589
libapache2-mod-perl2_2.0.10-3_source.buildinfo
Files:
dea913c8f362b7dc8667f5988af1c7e5 2694 httpd optional
libapache2-mod-perl2_2.0.10-3.dsc
072290aebb624474e18e41a440c73268 28576 httpd optional
libapache2-mod-perl2_2.0.10-3.debian.tar.xz
528c65bac897affc10d6cd6e7647cd1e 7589 httpd optional
libapache2-mod-perl2_2.0.10-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlvtzxcNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsr7hEAC94d46HQxjzEyBi8TsAZwGAGtxKeBT7a+uMCK2
FQpeNxf8KRUPLmJ0WB5ixnPqfnD4+9SnEp5TX89il8Rfvvd2EfG5mMOhBCVA4z2A
C2loMyFRaKCj3wK76z73Kl3MjGsLFdX/qTUSoUzh8JBSLO7nKdNFC7yfiITgwtRo
SBD8HDoxPJZ4cChTjQhT+rGokJ/jrAqsvP9Q+bAkNcYBkCEnD1nqFipABbLHumPF
wEatrq1WrFan38dR4KC3qT9D6YONF05XqFO/bgdpXGjHevVrIgBamOTFjBMMFl2B
XmpdGj3G12JLMXCPqBEXgdxOGH6nYteCTswBJz4pAh7mu4StxBG41C34rOWIuyMJ
WVz03v7wXqEZeNMatUSuZ5YFspKYL2vkI1I8j/9s5IedbAqnjfWoZ7aMEhc4YSrw
hhQsa4R6DiEHFhUEzIEjlGChi3m0DoVh4dfH096K9EakvKqcBFTL+HbwsgXt2Pd5
B8nQ4DHqXtYNLPcgFY15uqODdnvLRJMoP1n6f+3VaGV2Hir7A5tK5YJ1r+PiVbcM
rI9pWEv9NDwjRfumlvVTKfLmv9ZuP1e4QlksDHN/zaVxDKi1B5U2BQQiUs9A6Rnw
ZwX/9gVBY+8NQnai85dtaMfcq9TYhp4Iaoq7gSJfx8yIcciUM43NbsCDsQ7h3e5u
RBAqrA==
=bUys
-----END PGP SIGNATURE-----
--- End Message ---
