Debian Bug report logs -
#567635
XSS in Status.pm
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 30 Jan 2010 11:21:02 UTC
Severity: grave
Tags: security
Found in version libapache2-mod-perl2/2.0.4-5
Fixed in versions libapache2-mod-perl2/2.0.4-6, libapache2-mod-perl2/2.0.4-5+lenny1
Done: Damyan Ivanov <dmn@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#567635; Package libapache2-mod-perl2.
(Sat, 30 Jan 2010 11:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Sat, 30 Jan 2010 11:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache2-mod-perl2
Severity: grave
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0796
which contains links to the upstream commits.
This doesn't warrant a DSA, but it would be nice if you could fix this
in a stable point update for Lenny.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-perl2 depends on:
pn apache2.2-common <none> (no description available)
ii libapr1 1.3.8-1 The Apache Portable Runtime Librar
ii libaprutil1 1.3.9+dfsg-3 The Apache Portable Runtime Utilit
ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib
ii libdevel-symdump-perl 2.08-2 Perl module for inspecting perl's
ii libperl5.10 5.10.1-9 shared Perl library
ii liburi-perl 1.52-1 module to manipulate and access UR
ii libuuid1 2.16.2-0 Universally Unique ID library
ii libwww-perl 5.834-1 Perl HTTP/WWW client/server librar
ii netbase 4.40 Basic TCP/IP networking system
ii perl [libmime-base64-perl] 5.10.1-9 Larry Wall's Practical Extraction
ii perl-base [perlapi-5.10.0] 5.10.1-9 minimal Perl system
Versions of packages libapache2-mod-perl2 recommends:
pn libapache2-reload-perl <none> (no description available)
pn libbsd-resource-perl <none> (no description available)
libapache2-mod-perl2 suggests no packages.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#567635; Package libapache2-mod-perl2.
(Sat, 30 Jan 2010 14:57:06 GMT) (full text, mbox, link).
Message #8 received at 567635@bugs.debian.org (full text, mbox, reply):
tag 567635 + pending
thanks
Some bugs are closed in revision 51852
by Damyan Ivanov (dmn)
Commit message:
add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796)
Patch taken from r760926 of upstream SVN.
Closes: #567635
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Sat, 30 Jan 2010 14:57:10 GMT) (full text, mbox, link).
Bug Marked as found in versions libapache2-mod-perl2/2.0.4-5.
Request was from Damyan Ivanov <dmn@debian.org>
to control@bugs.debian.org.
(Sat, 30 Jan 2010 14:57:14 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#567635.
(Sat, 30 Jan 2010 14:57:17 GMT) (full text, mbox, link).
Reply sent
to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility.
(Sat, 30 Jan 2010 16:33:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 30 Jan 2010 16:33:07 GMT) (full text, mbox, link).
Message #20 received at 567635-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-perl2
Source-Version: 2.0.4-6
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive:
libapache2-mod-perl2-dev_2.0.4-6_all.deb
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.4-6_all.deb
libapache2-mod-perl2-doc_2.0.4-6_all.deb
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.4-6_all.deb
libapache2-mod-perl2_2.0.4-6.diff.gz
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.4-6.diff.gz
libapache2-mod-perl2_2.0.4-6.dsc
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.4-6.dsc
libapache2-mod-perl2_2.0.4-6_amd64.deb
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.4-6_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 567635@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated libapache2-mod-perl2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 30 Jan 2010 18:00:43 +0200
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: source all amd64
Version: 2.0.4-6
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Description:
libapache2-mod-perl2 - Integration of perl with the Apache2 web server
libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - development fil
libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - documentation
Closes: 507606 567635
Changes:
libapache2-mod-perl2 (2.0.4-6) unstable; urgency=high
.
[ gregor herrmann ]
* debian/control: Changed: (build-)depend on perl instead of perl-
modules.
.
[ Dario Minnucci ]
* docs/index_top.html: Issued patch 099-fix-url-on-index_top.patch
to fix link URL. (Closes: #507606)
.
[ Damyan Ivanov ]
* add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796)
Patch taken from r760926 of upstream SVN.
Closes: #567635
* .docs: drop debian/NEWS.Debian and Changes
* -doc: depend on ${misc:Depends}
* drop debian/NEWS (documents changes before oldstable)
Checksums-Sha1:
d5765b9bef8f187454f91cb45dc3d35d80801dd2 1837 libapache2-mod-perl2_2.0.4-6.dsc
9db0d78a4292f6f555c9eac3b1af61cc5df998e3 12163 libapache2-mod-perl2_2.0.4-6.diff.gz
daa63085d10c5f34961aabaf5beac849a2338e5e 79520 libapache2-mod-perl2-dev_2.0.4-6_all.deb
9ad489267896dbbc922ea4a37c5e8625a4d03663 3130586 libapache2-mod-perl2-doc_2.0.4-6_all.deb
1432b8c1eb464bf51ff17b63548ab508cab705d8 1112316 libapache2-mod-perl2_2.0.4-6_amd64.deb
Checksums-Sha256:
198990d8d20eae6618abbf9841fa4998b6a4a4da13f6ccd667c697539bfa2b44 1837 libapache2-mod-perl2_2.0.4-6.dsc
9fd7783fa83eb434d18a4a251bb6e53b482d447d5c1333bb2edf271e9c2b96d4 12163 libapache2-mod-perl2_2.0.4-6.diff.gz
bfdd9e2614eef845cec48f35ce92fcfbef8d38ad2cb24fbee218c434fda26c6e 79520 libapache2-mod-perl2-dev_2.0.4-6_all.deb
ad664471a8e0345040dea1482fb4c58702c5f3f0b1da63a7c85179658756d7a6 3130586 libapache2-mod-perl2-doc_2.0.4-6_all.deb
7a4141bef1f8d96d8a672f2b8e2e258473f72d166b3aa275732a014171f0599a 1112316 libapache2-mod-perl2_2.0.4-6_amd64.deb
Files:
6cec6d503726729974bf85f77931534b 1837 perl optional libapache2-mod-perl2_2.0.4-6.dsc
c22139aa4ba40ece6fe19268e708ed30 12163 perl optional libapache2-mod-perl2_2.0.4-6.diff.gz
8356acd60c4849b7f2e3e3ec13700ff9 79520 libdevel optional libapache2-mod-perl2-dev_2.0.4-6_all.deb
b41502ec807955e86fa5a36050147863 3130586 doc optional libapache2-mod-perl2-doc_2.0.4-6_all.deb
b0a32ea07e8a2d68062c9451d5354141 1112316 perl optional libapache2-mod-perl2_2.0.4-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktkXOYACgkQHqjlqpcl9jvdWACgrRgw5Z7mUDKiwmkYieL7fIxt
+XYAn0/uOQsBAoIihhqr4oxQpa4XaWQp
=Mdn8
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#567635; Package libapache2-mod-perl2.
(Sat, 30 Jan 2010 22:51:09 GMT) (full text, mbox, link).
Message #23 received at 567635@bugs.debian.org (full text, mbox, reply):
tag 567635 + pending
thanks
Some bugs are closed in revision 51902
by Damyan Ivanov (dmn)
Commit message:
add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796)
Patch taken from r760926 of upstream SVN.
Closes: #567635
Added tag(s) pending.
Request was from pkg-perl-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Sat, 30 Jan 2010 22:51:11 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#567635.
(Sat, 30 Jan 2010 22:51:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#567635; Package libapache2-mod-perl2.
(Sun, 31 Jan 2010 07:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Damyan Ivanov <dmn@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Sun, 31 Jan 2010 07:24:03 GMT) (full text, mbox, link).
Message #33 received at 567635@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear stable release managers,
Please approve the upload of libapache2-mod-perl2 2.0.4-5+lenny1 to
stable. This is needed for closing a security bug (#567635,
CVE-2009-0796) which was not deemed worth a DSA.
Changelog:
libapache2-mod-perl2 (2.0.4-5+lenny1) stable; urgency=high
* add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796)
Patch taken from r760926 of upstream SVN.
Closes: #567635
-- Damyan Ivanov <dmn@debian.org> Sun, 31 Jan 2010 08:40:19 +0200
100-svn-XSS-Status.patch, interdiff and debdiff attached.
Thank you.
[100-svn-XSS-Status.patch (text/x-diff, attachment)]
[inter.diff (text/x-diff, attachment)]
[deb.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#567635; Package libapache2-mod-perl2.
(Sun, 31 Jan 2010 15:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Sun, 31 Jan 2010 15:42:05 GMT) (full text, mbox, link).
Message #38 received at 567635@bugs.debian.org (full text, mbox, reply):
On Sun, 2010-01-31 at 09:20 +0200, Damyan Ivanov wrote:
> Please approve the upload of libapache2-mod-perl2 2.0.4-5+lenny1 to
> stable. This is needed for closing a security bug (#567635,
> CVE-2009-0796) which was not deemed worth a DSA.
>
> Changelog:
>
> libapache2-mod-perl2 (2.0.4-5+lenny1) stable; urgency=high
>
> * add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796)
> Patch taken from r760926 of upstream SVN.
> Closes: #567635
Please go ahead.
Regards,
Adam
Reply sent
to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility.
(Mon, 01 Feb 2010 02:03:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 01 Feb 2010 02:03:06 GMT) (full text, mbox, link).
Message #43 received at 567635-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-perl2
Source-Version: 2.0.4-5+lenny1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive:
libapache2-mod-perl2-dev_2.0.4-5+lenny1_all.deb
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2-dev_2.0.4-5+lenny1_all.deb
libapache2-mod-perl2-doc_2.0.4-5+lenny1_all.deb
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2-doc_2.0.4-5+lenny1_all.deb
libapache2-mod-perl2_2.0.4-5+lenny1.diff.gz
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.4-5+lenny1.diff.gz
libapache2-mod-perl2_2.0.4-5+lenny1.dsc
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.4-5+lenny1.dsc
libapache2-mod-perl2_2.0.4-5+lenny1_amd64.deb
to main/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.4-5+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 567635@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated libapache2-mod-perl2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 31 Jan 2010 08:40:19 +0200
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: source all amd64
Version: 2.0.4-5+lenny1
Distribution: stable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Description:
libapache2-mod-perl2 - Integration of perl with the Apache2 web server
libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - development fil
libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - documentation
Closes: 567635
Changes:
libapache2-mod-perl2 (2.0.4-5+lenny1) stable; urgency=high
.
* add 100-svn-XSS-Status.patch; fixes XSS in Apache2::Status (CVE-2009-0796)
Patch taken from r760926 of upstream SVN.
Closes: #567635
Checksums-Sha1:
00ef0369e5ffb015a2e547b9128451bffe62f744 1873 libapache2-mod-perl2_2.0.4-5+lenny1.dsc
706099dea7619e59e1bf5458dc4097fffa5b3e3e 12003 libapache2-mod-perl2_2.0.4-5+lenny1.diff.gz
969e08044a481d2ebcc126a3bab5e0bdc2e45d88 79420 libapache2-mod-perl2-dev_2.0.4-5+lenny1_all.deb
3789f0cd6e653073aba3e4e2f00a68bcb9d7d90a 3130474 libapache2-mod-perl2-doc_2.0.4-5+lenny1_all.deb
a6c9fe25879ec0be0fecc6b2a9d936330d98dce2 1149082 libapache2-mod-perl2_2.0.4-5+lenny1_amd64.deb
Checksums-Sha256:
f12c136fdc50a17f4c12ce76527997835b334edc1f3834c622db6396d1df8b17 1873 libapache2-mod-perl2_2.0.4-5+lenny1.dsc
eac2624376842f7e3930420f5d8e38403cce10c22993ccd023daf73b00ad014b 12003 libapache2-mod-perl2_2.0.4-5+lenny1.diff.gz
56f5e311a73c9e4d2201b6aaaf67db01de5198262c873331a2356fc31e00cdcf 79420 libapache2-mod-perl2-dev_2.0.4-5+lenny1_all.deb
7cb9f6248449ff9dd02521806b9fba8c472fda24bd61fa9c7096c8f4dc13460e 3130474 libapache2-mod-perl2-doc_2.0.4-5+lenny1_all.deb
bdee826fc4667666a734338dbe79a671981ac48ac5394312fb2601cc50f92672 1149082 libapache2-mod-perl2_2.0.4-5+lenny1_amd64.deb
Files:
7178e522b7325b19c47dba5fd71e6acd 1873 perl optional libapache2-mod-perl2_2.0.4-5+lenny1.dsc
88743f2a8fd4e1413cb32125f684226d 12003 perl optional libapache2-mod-perl2_2.0.4-5+lenny1.diff.gz
cf45303826845a0327d38b6d267cae74 79420 libdevel optional libapache2-mod-perl2-dev_2.0.4-5+lenny1_all.deb
95a95f21a5b6c0af1cb0c1ca50f40263 3130474 doc optional libapache2-mod-perl2-doc_2.0.4-5+lenny1_all.deb
8fed6b68945838efd6355cbc5a4ed607 1149082 perl optional libapache2-mod-perl2_2.0.4-5+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktl1R8ACgkQHqjlqpcl9jvAiACdHs9EjGcNi6Uyl7fiYJrdwn3G
d4gAoLipT3/4J34rRRcjuTkX8IH/jIRF
=605N
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 27 Jun 2010 07:35:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:58:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon