On Wed, May 6, 2009 at 7:40 AM, Francois Pernet <francois.per...@idsa.ch>wrote:
> Hi, > > We have received the following vulnerability report: > http://www.securityfocus.com/bid/23192/info > > I read the changes for the mod_perl versions but did not find anything > really clear. We are using mod_perl version 2.0.3 compiled for Suse linux > enterprise server 10 sp2 used with apache 2.0.x compiled also (we are not > using rpm versions of these packages). > > Can somebody clarify if the vulnerability still present in version 2.0.3 > and if we are obliged to move to version 2.0.4 ? > As listed on that securityfocus page, the CVE number is CVE-2007-1349. Checking the Changes files for 2.0.3 and 2.0.4, you'll see that 2.0.4 has a fix for that CVE but 2.0.3 doesn't. So 2.0.3 is vulnerable.