-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ____________________________________________________________________________
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.011 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.011 Advisory Published: 2007-05-17 20:44 UTC Issue Id (internal): OpenPKG-SI-20070329.01 Issue First Created: 2007-03-29 Issue Last Modified: 2007-05-17 Issue Revision: 06 ____________________________________________________________________________ Subject Name: Apache/mod_perl Subject Summary: Perl Extension Module for Apache Subject Home: http://perl.apache.org/ Subject Versions: 1.* <= 1.29 Vulnerability Id: CVE-2007-1349 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service Description: A vulnerability exists [0] in the Apache extension module mod_perl [1], which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a regular expression in "PerlRun.pm" that uses the "path_info" variable without properly escaping it [2]. This can be exploited to cause a DoS by sending requests with specially crafted URLs to a vulnerable server [3][4]. References: [0] http://www.gossamer-threads.com/lists/modperl/modperl/92739 [1] http://perl.apache.org/ [2] http://svn.apache.org/viewvc?view=rev&revision=521582 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1349 [4] http://secunia.com/advisories/24678/ ____________________________________________________________________________ Primary Package Name: apache Primary Package Home: http://openpkg.org/go/package/apache Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID apache-1.3.37-E1.0.4 OpenPKG Community CURRENT apache-1.3.37-20070329 OpenPKG Community CURRENT apache-php4-1.3.37-20070329 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document. ____________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG GmbH <http://openpkg.com/> iD8DBQFGTKKIZwQuyWG3rjQRAhfEAKDQEc9PK0VID5R9ol6yl2kvb8axKQCfWJv6 +Zwxmn1fB+F0nqnGL5XaGLc= =3xNo -----END PGP SIGNATURE----- ______________________________________________________________________ OpenPKG http://openpkg.org Announcement List openpkg-announce@openpkg.org