[debug]

Apache-mod_perl packages are now available

Package name: apache-mod_perl
Advisory ID: MDKSA-2004:046-1
Date: May 20th, 2004
Original Advisory Date: May 17th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
__________________________________________________ ____________________

Problem Description:

Four security vulnerabilities were fixed with the 1.3.31 release of
Apache. All of these issues have been backported and applied to the
provided packages. Thanks to Ralf Engelschall of OpenPKG for providing
the patches.

Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences
from its error logs. This could make it easier for attackers to insert
those sequences into the terminal emulators of administrators viewing
the error logs that contain vulnerabilities related to escape sequence
handling (CAN-2003-0020).

mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the
nonce of a client response by using an AuthNonce secret. Apache now
verifies the nonce returned in the client response to check whether it
was issued by itself by means of a "AuthDigestRealmSeed" secret exposed
as an MD5 checksum (CAN-2003-0987).

mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian
64-bit platforms, did not properly parse Allow/Deny rules using IP
addresses without a netmask. This could allow a remote attacker to
bypass intended access restrictions (CAN-2003-0993).

Apache 1.3 prior to 1.3.30, when using multiple listening sockets on
certain platforms, allows a remote attacker to cause a DoS by blocking
new connections via a short-lived connection on a rarely-accessed
listening socket (CAN-2004-0174). While this particular vulnerability
does not affect Linux, we felt it prudent to include the fix.

Update:

Due to the changes in mod_digest.so, mod_perl needed to be rebuilt
against the patched Apache packages in order for httpd-perl to
properly load the module. The appropriate mod_perl packages have
been rebuilt and are now available.