Update - I fat fingered the CVE number in this email body previously (but it was correct in the subject).
The correct vulnerability reference number is CVE-2009-0796. On Wed, Apr 1, 2009 at 2:58 PM, Fred Moyer <f...@redhotpenguin.com> wrote: > mod_perl lists, > > A specific vulnerability [CVE-2009-0795] in Apache::Status and > Apache2::Status has been discovered which may affect the security of > your mod_perl installation. Running Apache::Status on a public server > with no protection has always been a bad idea though, vulnerability or > not. > > The mod_perl1 and mod_perl2 codebases have been updated to protect > against this vulnerability, but your existing server may be > vulnerable. To secure your mod_perl server from this vulnerability, > we recommend that you disallow access to Apache::Status and > Apache2::Status resources (usually located at /perl-status) from > untrusted hosts. > > Q: How do I know if my installation is vulnerable? > > A: If you have enabled the Apache::Status or Apache2::Status modules > in your httpd.conf, your installation may be vulnerable. See the > following links for details on what constitutes potentially vulnerable > httpd.conf directives. > > http://perl.apache.org/docs/1.0/api/Apache/Status.html#Description > http://perl.apache.org/docs/2.0/api/Apache2/Status.html#Description > > If you have a <Location /perl-status> directive in your httpd.conf, > your installation is likely vulnerable. > > Q: What steps do I take to secure my mod_perl installation? > > A: Disallow access from certain clients to your status url (example > /perl-status) in your httpd.conf file. > > mod_perl1 example: > > <Location /perl-status> > Order deny,allow > Deny from all > Allow from 127.0.0.1 > SetHandler perl-script > PerlHandler Apache::Status > </Location> > > > mod_perl2 example: > > <Location /perl-status> > Order deny,allow > Deny from all > Allow from 127.0.0.1 > SetHandler perl-script > PerlResponseHandler Apache2::Status > </Location> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org For additional commands, e-mail: dev-h...@perl.apache.org
