The URL or has entered CPAN as file: $CPAN/authors/id/G/GO/GOZER/mod_perl-1.30.tar.gz size: 389029 bytes md5: bfd6f6cff1ab1cc3dbb58a236701d169 This release is a security release. This is the first release in a long while, and even though it was triggered by an important security issue,a it also includes a good collection of bug fixes, so upgrading is doubly a good idea! URL regular _expression_ DoS (CVE-2007-1349) A flaw was discovered in the Apache::PerlRun module shipped with mod_perl 1.29 and earlier and in the ModPerl::RegistryCooker module shipped with mod_perl 2.03 and earlier. A remote attacker could craft a URL with a path that would be interpreted as a regular _expression_, potentially allowing a denial of service by creating an _expression_ that will take a very long time to run. This vulnerability only affects Apache::PerlRun and custom subclasses of ModPerl::RegistryCooker that explicitly use the namespace_from_uri() method. The Apache::Registry, ModPerl::PerlRun, and ModPerl::Registry modules are NOT affected. Users of mod_perl 1.29 and earlier are encouraged to upgrade to 1.30 if they use Apache::PerlRun for their applications. Changes since 1.29: SECURITY: CVE-2007-1349 (cve.mitre.org) fix unescaped variable interpolation in Apache::PerlRun regular _expression_ to prevent regex engine tampering. reported by Alex Solovey [Randal L. Schwartz <suppressed>, Fred Moyer <suppressed>] sync Apache-SizeLimit with latest version from CPAN (0.91) [Philip M. Gollucci, Philippe M. Chiasson] Fix an Apache::(Registry|PerlRun) bug caused by special characters in the url [suppressed] Display a more verbose message if Apache.pm can't be loaded [Geoffrey Young] Fix incorrect win32 detection in Apache::SizeLimit reported by Matt Phillips <suppressed> [Philippe M. Chiasson] The print-a-scalar-reference feature is now deprecated and documented as such [Stas] fix "PerlSetVar Foo 0" so that $r->dir_config('Foo') returns 0, not undef [Geoffrey Young] for some reason .pm files during the modperl build see $ENV{PERL5LIB} set in Makefile.PL, which is used for generating Makefiles, as "PERL5LIB=/path:/another/path" instead of "/path:/another/path" essentially rendering this env var useless. I'm not sure why, may be MakeMaker kicks in somewhere. Trying to workaround by s/PERL5LIB/PERL5LIB_ENV/, using anything that's not PERL5LIB. [Stas] change $INC{$key} = undef; to delete $INC{$key}; in PerlFreshRestart [Geoffrey Young] Fix a bug in Makefile.PL for Win32 where it would, in certain cases, pick up the wrong Perl include directory [Steve Hay] ------------------------------------------------------------------------ Philippe M. Chiasson GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5 http://gozer.ectoplasm.org/ m/gozer\@(apache|cpan|ectoplasm)\.org/ |
Attachment:
PGP.sig
Description: This is a digitally signed message part
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.