The URL
http://apache.org/dyn/closer.cgi/perl/mod_perl-1.29.tar.gz
or
http://www.perl.com/CPAN/modules/by-module/Apache/mod_perl-1.29.tar.gz
has entered CPAN as
file: $CPAN/authors/id/G/GO/GOZER/mod_perl-1.29.tar.gz
size: 378877 bytes
md5: 1491931790509b9af06fc037d02b0e7a
This release is a security release
I. Problem Description
When used in conjunction with Perl version 5.8.1, mod_perl 1.28 and
earlier versions are vulnerable to predictive random number
generation.
Specifically, starting with version 5.8.1, Perl's random number
generator is seeded during the Perl interpreter startup. As a
result of this, all child processes subsequently forked will use
the same seed, and thus generate identical random number series.
II. Details
The recently released Perl version 5.8.1 introduced randomization
of the seed used to generate hash keys. Previous versions of Perl
used a hardcoded seed, resulting in potentially predictable hash
key sequences.
Perl version 5.8.1 generates this seed during the Perl interpreter
startup, resulting in an identical random number generator seed
used for each subsequently forked process.
III. Impact
By monitoring the output of third party packages or application
code that make use of Perl's rand() function, an attacker might be
able to predict when the code will generate the same random number
again. This information could be used to defeat mechanisms which
rely on adequate pseudo-random number generation such as
authentication tokens and session identification.
IV. Affected systems
Only mod_perl 1.28 and earlier versions, in conjunction with Perl
5.8.1, are affected. In particular, no release from the
mod_perl-2.0-to-be development branch are affected.
Perl 5.8.1 built with non default options may not be affected. To
determine whether your Perl is affected, issue the following
command, which prints two numbers:
perl -le 'fork; print rand'
If the two numbers are identical, this perl is vulnerable.
V. Solution
Do one of the following:
1) Upgrade your vulnerable system to mod_perl 1.29.
2) If upgrading to mod_perl 1.29 is not possible, the following
workaround will circumvent the vulnerability:
Use the following command line to start your mod_perl enabled
Apache server:
PERL_HASH_SEED=`perl -le 'print int rand 9000000'` apachectl start
By specifying an explicit PERL_HASH_SEED environment variable,
Perl won't randomize its hash seed and srand() will be called
normally after forking.
Changes since 1.28:
Add a workaround for the 'rand' bug for perl 5.8.1 (compiled with
either -DUSE_HASH_SEED or -DUSE_HASH_SEED_EXPLICIT, which is the
default), causing all forked procs to produce the same rand
sequence. [Stas]
For Win32, add an INSTALL_LIB option to 'perl Makefile.PL' to
allow one to specify where to install mod_perl.lib. If not
given, this defaults to APACHE_SRC\libexec, if this exists.
Suggested by Steve Hay [randyk]
Fix t/net/perl/sym.pl (called by modules/symbol) not to affect other
tests (internal/http-get and internal/http-post, which were failing to
call exit) [Stas]
Fix Apache::ExtUtils to work with blead perl (it was breaking the
build) http://rt.perl.org/rt2/Ticket/Display.html?id=23803 [Stas]
On Win32 the uploaded file wasn't cleaned up (weither it's a bug in
CGI.pm or not), make sure we don't leave any dropped files around
[Steve Hay <[EMAIL PROTECTED]>]
For Win32, keep drive letters in mod_perl.dsp to fix bug, reported
by DH <[EMAIL PROTECTED]>, when compiling mod_perl in
cases where Apache and Perl are on different drives [Randy Kobes].
Add workaround to define statcache in Apache.xs so that
one can build on Win32 ActivePerl 8xx with LARGE_FILES
support [Randy Kobes]
+ Patches since 1.28 can be reviewed here:
http://www.apache.org/~gozer/mp1/1.28-dev/
--------------------------------------------------------------------------------
Philippe M. Chiasson /gozer\@(cpan|ectoplasm)\.org/ 88C3A5A5 (122FF51B/C634E37B)
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3 A5A5
Q: It is impossible to make anything foolproof because fools are so ingenious.
perl -e'$$=\${gozer};{$_=unpack(P7,pack(L,$$));/^JAm_pH\n$/&&print||$$++&&redo}'
signature.asc
Description: This is a digitally signed message part
