Randal L. Schwartz wrote:
>>>>>>"Randal" == Randal L Schwartz <merlyn@stonehenge.com> writes:
>
>
>>>>>>"Alex" == Alex Solovey <[EMAIL PROTECTED]> writes:
>
> Alex> The problem is due to unescaped variable interpolation in regular
> Alex> expression $uri =~ /$path_info$/ in sub namespace_from:
>
> Randal> I don't want to raise too many alarms, but this means that every MP1
> Randal> server has a denial-of-service attack against it now.
>
> And MP2 as well, from ModPerl::RegistryCooker:
>
> my $path_info = $self->{REQ}->path_info;
> my $script_name = $path_info && $self->{URI} =~ /$path_info$/
> ? substr($self->{URI}, 0, length($self->{URI}) - length($path_info))
> : $self->{URI};
>
> Wonderful. Won't take long until this makes the rounds. Better start
> getting the patches out and the press releases.
this sensationalism was just flat-out irresponsible. I don't doubt that
it's true, but not giving us dev folks time to address the issue with a
security release is going to cause more headaches than it otherwise
would have.
in the future, if anyone has a security issue with any apache product,
the proper path to follow is to send a brief email to
[EMAIL PROTECTED] those guys will make sure it gets routed to the
appropriate place (the mod_perl pmc and core development team in this
case) and we'll work with you to get it clarified and resolved.
--Geoff
