Security Advisory Moderate: mod_perl security update

Advisory: RHSA-2007:0486-2
Type: Security Advisory
Severity: Moderate
Issued on: 2007-06-18
Last updated on: 2007-06-18
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
OVAL: N/A
CVEs (cve.mitre.org): CVE-2007-1349

Details

Updated mod_perl packages that fix a security issue are now available for Red
Hat Enterprise Linux 2.1.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Mod_perl incorporates a Perl interpreter into the Apache web server,
so that the Apache HTTP server can directly execute Perl code.

The Apache::PerlRun module was found to not properly escape PATH_INFO
before being used in a regular expression. If a server is configured to
use Apache::PerlRun, an attacker could request a carefully crafted URI
causing resource consumption, which could lead to a denial of service
(CVE-2007-1349).

Users of mod_perl should update to these erratum packages which contain a
backported fix to correct this issue.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)
SRPMS:
mod_perl-1.26-8.el2.src.rpm     ba662e554fb38d47a75b5e1e38d66feb
 
IA-32:
mod_perl-1.26-8.el2.i386.rpm     944c97379c59adeb21d3e714f5c0e88d
 
IA-64:
mod_perl-1.26-8.el2.ia64.rpm     378a98638750c8e1aacd05723be0f70a
 
Red Hat Enterprise Linux ES (v. 2.1)
SRPMS:
mod_perl-1.26-8.el2.src.rpm     ba662e554fb38d47a75b5e1e38d66feb
 
IA-32:
mod_perl-1.26-8.el2.i386.rpm     944c97379c59adeb21d3e714f5c0e88d
 
Red Hat Enterprise Linux WS (v. 2.1)
SRPMS:
mod_perl-1.26-8.el2.src.rpm     ba662e554fb38d47a75b5e1e38d66feb
 
IA-32:
mod_perl-1.26-8.el2.i386.rpm     944c97379c59adeb21d3e714f5c0e88d
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
SRPMS:
mod_perl-1.26-8.el2.src.rpm     ba662e554fb38d47a75b5e1e38d66feb
 
IA-64:
mod_perl-1.26-8.el2.ia64.rpm     378a98638750c8e1aacd05723be0f70a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

240423 - CVE-2007-1349 mod_perl PerlRun denial of service


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1349
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/