[USN-488-1] mod_perl vulnerability

Kees Cook <kees@xxxxxxxxxx> · Tue, 17 Jul 2007 17:03:16 -0700

=========================================================== 
Ubuntu Security Notice USN-488-1              July 17, 2007
libapache2-mod-perl2 vulnerability
CVE-2007-1349
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libapache2-mod-perl2                     2.0.2-2ubuntu1.6.06.1

Ubuntu 6.10:
  libapache2-mod-perl2                     2.0.2-2ubuntu1.6.10.1

Ubuntu 7.04:
  libapache2-mod-perl2                     2.0.2-2.3ubuntu1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Alex Solovey discovered that mod_perl did not correctly validate certain
regular expression matches.  A remote attacker could send a specially
crafted request to a web application using mod_perl, causing the web
server to monopolize CPU resources.  This could lead to a remote denial
of service.

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.06.1.diff.gz
      Size/MD5:     9628 f497977199cfe7bf7acdfa2c0cde2eed
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.06.1.dsc
      Size/MD5:      998 7f889342264c7d06a6ffd60062dab734
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2.orig.tar.gz
      Size/MD5:  3692744 ad0a509fd34e3b8452887d80a1d45dea

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2ubuntu1.6.06.1_amd64.deb
      Size/MD5:    75322 5b89b5653519c0510576aa82b9fc4f5e
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2ubuntu1.6.06.1_amd64.deb
      Size/MD5:  3107230 ecb39dbd89462fb9b9682aef0b6a1235
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.06.1_amd64.deb
      Size/MD5:  1110112 ff31fbd491116c5f8c91d757e8301c19

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2ubuntu1.6.06.1_i386.deb
      Size/MD5:    75314 53b3c9646059d0eacc4e0f3e516e70c0
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2ubuntu1.6.06.1_i386.deb
      Size/MD5:  3107228 e4edd114c2c75ad319325182c23dd5fa
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.06.1_i386.deb
      Size/MD5:  1079348 e90f4d9cdc8b5b2e80a53cd1b1798f13

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2ubuntu1.6.06.1_powerpc.deb
      Size/MD5:    75318 8ad67903ccd57505913ac89ecb2e887c
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2ubuntu1.6.06.1_powerpc.deb
      Size/MD5:  3107232 0b8647bcddcb0db03ef519766e5df681
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.06.1_powerpc.deb
      Size/MD5:  1155804 4356f995aafef49458f55ab994473c5b

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2ubuntu1.6.06.1_sparc.deb
      Size/MD5:    75314 b550a8744b5d454d59c34f0b499cb5d7
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2ubuntu1.6.06.1_sparc.deb
      Size/MD5:  3107228 863b67f9b585a39002bf4b4ef2d978a1
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.06.1_sparc.deb
      Size/MD5:  1089070 55f0d299239f5d8ec1d1b1959e187317

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.10.1.diff.gz
      Size/MD5:     9630 8931dae2b1c65dc46174bfc699daf06d
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.10.1.dsc
      Size/MD5:      998 ddf93bb0b197442d62366239d0850acb
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2.orig.tar.gz
      Size/MD5:  3692744 ad0a509fd34e3b8452887d80a1d45dea

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2ubuntu1.6.10.1_amd64.deb
      Size/MD5:    75364 671eecfcd15ffec6221b52a295f27c78
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2ubuntu1.6.10.1_amd64.deb
      Size/MD5:  3107284 c50a1ec820fe819ebcf12e8d92b89a80
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.10.1_amd64.deb
      Size/MD5:  1107574 8754c106ab3937d6ed2cc32b84f7a701

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2ubuntu1.6.10.1_i386.deb
      Size/MD5:    75362 a597a8fa7f91a8a57a7c96b3a312f9df
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2ubuntu1.6.10.1_i386.deb
      Size/MD5:  3107300 309b7861ec7e00283c117845f5c485c1
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.10.1_i386.deb
      Size/MD5:  1079150 51e832bdf8214b857847bbf88f481de3

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2ubuntu1.6.10.1_powerpc.deb
      Size/MD5:    75370 009c49eafaa0e3a01c3711aa61b240c8
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2ubuntu1.6.10.1_powerpc.deb
      Size/MD5:  3107306 3429bbe0161ec52d59e41b8d3f985ecb
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.10.1_powerpc.deb
      Size/MD5:  1150766 aa2da5195df10ebf278bb07ab69254e0

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2ubuntu1.6.10.1_sparc.deb
      Size/MD5:    75370 1ca37636d692aa55fc23e48cb2525a97
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2ubuntu1.6.10.1_sparc.deb
      Size/MD5:  3107274 1c78d621cee62ed906527c9b13eef3b0
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.6.10.1_sparc.deb
      Size/MD5:  1084550 4a2a43ef790df1ad26ab3eadce94d915

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2.3ubuntu1.diff.gz
      Size/MD5:    10074 127845cc9bcbdaaafe10d2cb19894016
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2.3ubuntu1.dsc
      Size/MD5:     1069 e594fff200e39c5b2d32afbef31ffb94
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2.orig.tar.gz
      Size/MD5:  3692744 ad0a509fd34e3b8452887d80a1d45dea

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2.3ubuntu1_amd64.deb
      Size/MD5:    75588 b1f6133f1885af8f1f87708faa2a60db
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2.3ubuntu1_amd64.deb
      Size/MD5:  3107526 7490be6f0b18fa08dbef37e2fafa54f2
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2.3ubuntu1_amd64.deb
      Size/MD5:  1112102 24692fb297bb18c7b8cee934ea189224

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2.3ubuntu1_i386.deb
      Size/MD5:    75592 fd71ab7ee62c4108120c9291c995ad80
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2.3ubuntu1_i386.deb
      Size/MD5:  3107524 8b2bf71217004adb579ef69ee4b33c38
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2.3ubuntu1_i386.deb
      Size/MD5:  1083958 31ee84ee8393518fb90d3c03b93bbdda

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2.3ubuntu1_powerpc.deb
      Size/MD5:    75596 fb941bcadd4e28fa0fb5040768eb65e4
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2.3ubuntu1_powerpc.deb
      Size/MD5:  3107518 822a2ccc5ae2c38630e387d8135793a0
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2.3ubuntu1_powerpc.deb
      Size/MD5:  1186164 1b99b9c429ad2e3e739cbdb4f5f2c956

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.2-2.3ubuntu1_sparc.deb
      Size/MD5:    75598 c0216a2beb6699e4b2c48d0c0ef49509
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.2-2.3ubuntu1_sparc.deb
      Size/MD5:  3107526 8a11b8856ffa7e375812bed6d4a79da9
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2.3ubuntu1_sparc.deb
      Size/MD5:  1089232 917ea0cd5251737b74fc781f42899264

Attachment:
signature.asc

Description: Digital signature