Bug 23541 - apache-mod_perl new security issue CVE-2011-2767
Summary: apache-mod_perl new security issue CVE-2011-2767
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-07 19:40 CEST by David Walser
Modified: 2018-11-17 12:18 CET (History)
3 users (show)

See Also:
Source RPM: apache-mod_perl-2.0.10-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-09-07 19:40:01 CEST
Fedora has issued an advisory today (September 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3GS7G4X3FRAUBMBVQ4QXZAGZH2JIMG4/

More details in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1623265

Mageia 5 and Mageia 6 are also affected.
Comment 1 Marja Van Waes 2018-09-08 13:28:10 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Bruno Cornec 2018-10-22 22:49:43 CEST
apache-mod_perl-2.0.10-5.mga7 submitted for cauldron

Version: Cauldron => 6
Assignee: shlomif => bruno
Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 3 Bruno Cornec 2018-10-23 11:43:29 CEST
apache-mod_perl-2.0.10-1.1.mga6 submitted for mga6

Assignee: bruno => qa-bugs

Comment 4 David Walser 2018-10-23 14:18:48 CEST
It didn't build.

Assignee: qa-bugs => bruno

Comment 5 Bruno Cornec 2018-10-24 21:00:50 CEST
apache-mod_perl-2.0.10-6.mga7 and apache-mod_perl-2.0.10-1.1.mga6 have been uploaded

Assignee: bruno => qa-bugs

Comment 6 David Walser 2018-10-25 00:43:33 CEST
Advisory:
========================

Updated apache-mod_perl packages fix security vulnerability:

A flaw was found in mod_perl 2.0 through 2.0.10 which allows attackers to
execute arbitrary Perl code by placing it in a user-owned .htaccess file,
because (contrary to the documentation) there is no configuration option that
permits Perl code for the administrator's control of HTTP request processing
without also permitting unprivileged users to run Perl code in the context of
the user account that runs Apache HTTP Server processes (CVE-2011-2767).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2767
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G3GS7G4X3FRAUBMBVQ4QXZAGZH2JIMG4/
========================

Updated packages in core/updates_testing:
========================
apache-mod_perl-2.0.10-1.1.mga6
apache-mod_perl-devel-2.0.10-1.1.mga6
Comment 7 Herman Viaene 2018-11-15 12:19:07 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Used 
# urpmq --whatrequires apache-mod_perl
but nothing came out that I could put my teeth in.
Is clean install OK???

CC: (none) => herman.viaene

Comment 8 David Walser 2018-11-15 14:40:20 CET
Also use httpd -M to make sure it loaded the module OK and that Apache runs with it without crashing.
Comment 9 Herman Viaene 2018-11-16 14:52:08 CET
httpd -M shows amongst others:
 perl_module (shared)
Sufficient for OK'ing????
Comment 10 David Walser 2018-11-16 16:08:07 CET
If that's all you can do.  Would be nice to test that it doesn't crash if possible.
Comment 11 Herman Viaene 2018-11-17 12:18:03 CET
I used apache in bug 23826 with this update, and another one Which is gone from the update list now.

Note You need to log in before you can comment on or make changes to this bug.