Bug#913885: marked as done (stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1)

Debian Bug Tracking System Sat, 16 Feb 2019 03:44:10 -0800

Your message dated Sat, 16 Feb 2019 11:36:33 +0000
with message-id <1550316993.21192.50.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.8
has caused the Debian Bug report #913885,
regarding stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
913885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913885
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

This fixes a low-severity security issue which was recently fixed in
unstable (and also jessie-lts):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169

The release will be set correctly when the changelog is finalised.

Cheers,
Dominic.

diff -Nru libapache2-mod-perl2-2.0.10/debian/changelog 
libapache2-mod-perl2-2.0.10/debian/changelog
--- libapache2-mod-perl2-2.0.10/debian/changelog        2016-12-25 
09:51:10.000000000 +0000
+++ libapache2-mod-perl2-2.0.10/debian/changelog        2018-11-16 
12:46:23.000000000 +0000
@@ -1,3 +1,10 @@
+libapache2-mod-perl2 (2.0.10-2+deb9u1) UNRELEASED; urgency=medium
+
+  * [SECURITY] CVE-2011-2767: don't allow <Perl> sections in
+    user controlled configuration (Closes: #644169)
+
+ -- Dominic Hargreaves <d...@earth.li>  Fri, 16 Nov 2018 12:46:23 +0000
+
 libapache2-mod-perl2 (2.0.10-2) unstable; urgency=medium
 
   * Patch the test suite for Apache 2.4.24 compatibility.
diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch 
libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch
--- libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch      
1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch      
2018-11-16 11:44:22.000000000 +0000
@@ -0,0 +1,41 @@
+From: Markus Koschany <a...@debian.org>
+Date: Tue, 18 Sep 2018 19:03:15 +0200
+Subject: CVE-2011-2767
+
+Original patch by Jan Ingvoldstad.
+
+Bug-Debian: https://bugs.debian.org/644169
+Origin: https://bugs.debian.org/644169#19
+---
+ src/modules/perl/mod_perl.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/modules/perl/mod_perl.c b/src/modules/perl/mod_perl.c
+index d3245bf..25c64ab 100644
+--- a/src/modules/perl/mod_perl.c
++++ b/src/modules/perl/mod_perl.c
+@@ -913,18 +913,18 @@ static const command_rec modperl_cmds[] = {
+     MP_CMD_DIR_ITERATE2("PerlAddVar", add_var, "PerlAddVar"),
+     MP_CMD_DIR_TAKE2("PerlSetEnv", set_env, "PerlSetEnv"),
+     MP_CMD_SRV_TAKE1("PerlPassEnv", pass_env, "PerlPassEnv"),
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
+-    MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
++    MP_CMD_SRV_RAW_ARGS("Perl", perldo, "Perl Code"),
+ 
+     MP_CMD_DIR_TAKE1("PerlSetInputFilter", set_input_filter,
+                      "filter[;filter]"),
+     MP_CMD_DIR_TAKE1("PerlSetOutputFilter", set_output_filter,
+                      "filter[;filter]"),
+ 
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
+-    MP_CMD_DIR_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
++    MP_CMD_SRV_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
+ 
+     MP_CMD_SRV_RAW_ARGS("PerlLoadModule", load_module, "A Perl module"),
+ #ifdef MP_TRACE
diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/series 
libapache2-mod-perl2-2.0.10/debian/patches/series
--- libapache2-mod-perl2-2.0.10/debian/patches/series   2016-12-24 
21:45:42.000000000 +0000
+++ libapache2-mod-perl2-2.0.10/debian/patches/series   2018-11-16 
12:46:14.000000000 +0000
@@ -15,3 +15,4 @@
 honour-env-LDFLAGS.patch
 370_http_syntax.patch
 380_inject_header_line_terminators.patch
+CVE-2011-2767.patch

--- End Message ---

--- Begin Message ---

Version: 9.8

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---

Bug#913885: marked as done (stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1)

Reply via email to