Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
This fixes a low-severity security issue which was recently fixed in unstable (and also jessie-lts): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169 The release will be set correctly when the changelog is finalised. Cheers, Dominic.
diff -Nru libapache2-mod-perl2-2.0.10/debian/changelog libapache2-mod-perl2-2.0.10/debian/changelog --- libapache2-mod-perl2-2.0.10/debian/changelog 2016-12-25 09:51:10.000000000 +0000 +++ libapache2-mod-perl2-2.0.10/debian/changelog 2018-11-16 12:46:23.000000000 +0000 @@ -1,3 +1,10 @@ +libapache2-mod-perl2 (2.0.10-2+deb9u1) UNRELEASED; urgency=medium + + * [SECURITY] CVE-2011-2767: don't allow <Perl> sections in + user controlled configuration (Closes: #644169) + + -- Dominic Hargreaves <d...@earth.li> Fri, 16 Nov 2018 12:46:23 +0000 + libapache2-mod-perl2 (2.0.10-2) unstable; urgency=medium * Patch the test suite for Apache 2.4.24 compatibility. diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch --- libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch 1970-01-01 01:00:00.000000000 +0100 +++ libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch 2018-11-16 11:44:22.000000000 +0000 @@ -0,0 +1,41 @@ +From: Markus Koschany <a...@debian.org> +Date: Tue, 18 Sep 2018 19:03:15 +0200 +Subject: CVE-2011-2767 + +Original patch by Jan Ingvoldstad. + +Bug-Debian: https://bugs.debian.org/644169 +Origin: https://bugs.debian.org/644169#19 +--- + src/modules/perl/mod_perl.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/modules/perl/mod_perl.c b/src/modules/perl/mod_perl.c +index d3245bf..25c64ab 100644 +--- a/src/modules/perl/mod_perl.c ++++ b/src/modules/perl/mod_perl.c +@@ -913,18 +913,18 @@ static const command_rec modperl_cmds[] = { + MP_CMD_DIR_ITERATE2("PerlAddVar", add_var, "PerlAddVar"), + MP_CMD_DIR_TAKE2("PerlSetEnv", set_env, "PerlSetEnv"), + MP_CMD_SRV_TAKE1("PerlPassEnv", pass_env, "PerlPassEnv"), +- MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"), +- MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"), ++ MP_CMD_SRV_RAW_ARGS("Perl", perldo, "Perl Code"), + + MP_CMD_DIR_TAKE1("PerlSetInputFilter", set_input_filter, + "filter[;filter]"), + MP_CMD_DIR_TAKE1("PerlSetOutputFilter", set_output_filter, + "filter[;filter]"), + +- MP_CMD_DIR_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"), +- MP_CMD_DIR_RAW_ARGS_ON_READ("=back", pod, "End of =over"), +- MP_CMD_DIR_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"), +- MP_CMD_DIR_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("=back", pod, "End of =over"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"), ++ MP_CMD_SRV_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"), + + MP_CMD_SRV_RAW_ARGS("PerlLoadModule", load_module, "A Perl module"), + #ifdef MP_TRACE diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/series libapache2-mod-perl2-2.0.10/debian/patches/series --- libapache2-mod-perl2-2.0.10/debian/patches/series 2016-12-24 21:45:42.000000000 +0000 +++ libapache2-mod-perl2-2.0.10/debian/patches/series 2018-11-16 12:46:14.000000000 +0000 @@ -15,3 +15,4 @@ honour-env-LDFLAGS.patch 370_http_syntax.patch 380_inject_header_line_terminators.patch +CVE-2011-2767.patch