mod_perl lists, A specific vulnerability [CVE-2009-0795] in Apache::Status and Apache2::Status has been discovered which may affect the security of your mod_perl installation. Running Apache::Status on a public server with no protection has always been a bad idea though, vulnerability or not.
The mod_perl1 and mod_perl2 codebases have been updated to protect against this vulnerability, but your existing server may be vulnerable. To secure your mod_perl server from this vulnerability, we recommend that you disallow access to Apache::Status and Apache2::Status resources (usually located at /perl-status) from untrusted hosts. Q: How do I know if my installation is vulnerable? A: If you have enabled the Apache::Status or Apache2::Status modules in your httpd.conf, your installation may be vulnerable. See the following links for details on what constitutes potentially vulnerable httpd.conf directives. http://perl.apache.org/docs/1.0/api/Apache/Status.html#Description http://perl.apache.org/docs/2.0/api/Apache2/Status.html#Description If you have a <Location /perl-status> directive in your httpd.conf, your installation is likely vulnerable. Q: What steps do I take to secure my mod_perl installation? A: Disallow access from certain clients to your status url (example /perl-status) in your httpd.conf file. mod_perl1 example: <Location /perl-status> Order deny,allow Deny from all Allow from 127.0.0.1 SetHandler perl-script PerlHandler Apache::Status </Location> mod_perl2 example: <Location /perl-status> Order deny,allow Deny from all Allow from 127.0.0.1 SetHandler perl-script PerlResponseHandler Apache2::Status </Location> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org For additional commands, e-mail: dev-h...@perl.apache.org
