perl-docs-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r523447 - /perl/modperl/docs/trunk/src/dist/HEADER.html
Date Wed, 28 Mar 2007 20:08:29 GMT
Author: geoff
Date: Wed Mar 28 13:08:27 2007
New Revision: 523447

add in CVE-2007-1349 note


Modified: perl/modperl/docs/trunk/src/dist/HEADER.html
--- perl/modperl/docs/trunk/src/dist/HEADER.html (original)
+++ perl/modperl/docs/trunk/src/dist/HEADER.html Wed Mar 28 13:08:27 2007
@@ -2,6 +2,25 @@
 <img src="../images/logo/mod_perl_logo.jpg">
+<b>URL regular expression DoS (CVE-2007-1349)</b><br>
+A flaw was discovered in the Apache::PerlRun module shipped with
+mod_perl 1.29 and earlier and in the ModPerl::RegistryCooker module shipped with
+mod_perl 2.03 and earlier.  A remote attacker could craft a URL with a path that
+would be interpreted as a regular expression, potentially allowing a
+denial of service by creating an expression that will take a very long
+time to run.  This vulnerability only affects Apache::PerlRun and
+custom subclasses of ModPerl::RegistryCooker that explicitly use the
+namespace_from_uri() method.  The Apache::Registry, ModPerl::PerlRun,
+and ModPerl::Registry modules are NOT affected.
+Users of mod_perl 1.29 and earlier are encouraged to upgrade to 1.30 if
+they use Apache::PerlRun for their applications.  Users of mod_perl 2.03
+are encouraged to check their custom code for calls to the
+namespace_from_uri() method and replace it with the
+namespace_from_filename() method.
 <b>Please note!</b><br>
 mod_perl-1.24_01.tar.gz or later is required for Apache >= 1.3.14.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message