Security Related BUG within ModPerl 2.0.4

Security Related BUG within ModPerl 2.0.4

am 01.03.2009 05:30:04 von Richard

--_000_85452F8337EB1F46ABFEC605C93DDFB137752ECDDBPROCHKUPEXC H0_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Dear Sirs,

I would like to report a security related bug within ModPerl 2.0.4, though =
prefer not to disclose the details to a public channel.

The bug was found on a customer's Linux based system, and further confirmed=
on a test bed system which was set up running ModPerl 2.0.4 and Apache 2.2=
..8 both with the latest patches to confirm that it was not a configuration =
issue.

Please reply to me on a secure channel, and I will be more than happy to pr=
ovide further details.

Best Regards,

Richard

--_000_85452F8337EB1F46ABFEC605C93DDFB137752ECDDBPROCHKUPEXC H0_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:p=3D"urn:schemas-m=
icrosoft-com:office:powerpoint" xmlns:a=3D"urn:schemas-microsoft-com:office=
:access" xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s=3D"=
uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs=3D"urn:schemas-microsof=
t-com:rowset" xmlns:z=3D"#RowsetSchema" xmlns:b=3D"urn:schemas-microsoft-co=
m:office:publisher" xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadshee=
t" xmlns:c=3D"urn:schemas-microsoft-com:office:component:spread sheet" xmlns=
:odc=3D"urn:schemas-microsoft-com:office:odc" xmlns:oa=3D"urn:schemas-micro=
soft-com:office:activation" xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:D=3D"DAV:" xmln=
s:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meeting s/" xmlns:x2=3D=
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois=3D"http://sc=
hemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir=3D"http://schemas.micro=
soft.com/sharepoint/soap/directory/" xmlns:ds=3D"http://www.w3.org/2000/09/=
xmldsig#" xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" xmlns:u=
dc=3D"http://schemas.microsoft.com/data/udc" xmlns:xsd=3D"http://www.w3.org=
/2001/XMLSchema" xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/=
2002/1/alerts/" xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" xmlns:sp=3D"=
http://schemas.microsoft.com/sharepoint/" xmlns:sps=3D"http://schemas.micro=
soft.com/sharepoint/soap/" xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-in=
stance" xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" xmlns:udc=
xf=3D"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p=3D"http:/=
/schemas.microsoft.com/data/udc/parttopart" xmlns:wf=3D"http://schemas.micr=
osoft.com/sharepoint/soap/workflow/" xmlns:dsss=3D"http://schemas.microsoft=
..com/office/2006/digsig-setup" xmlns:dssi=3D"http://schemas.microsoft.com/o=
ffice/2006/digsig" xmlns:mdssi=3D"http://schemas.openxmlformats.org/package=
/2006/digital-signature" xmlns:mver=3D"http://schemas.openxmlformats.org/ma=
rkup-compatibility/2006" xmlns:m=3D"http://schemas.microsoft.com/office/200=
4/12/omml" xmlns:mrels=3D"http://schemas.openxmlformats.org/package/200 6/re=
lationships" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" xm=
lns:ex12t=3D"http://schemas.microsoft.com/exchange/services/ 2006/types" xml=
ns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2 006/messages" x=
mlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/S lideLibrary/" x=
mlns:spsl=3D"http://microsoft.com/webservices/SharePointPort alServer/Publis=
hedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" xmlns:st=3D"" x=
mlns=3D"http://www.w3.org/TR/REC-html40">












Dear Sirs,



 



I would like to report a security related bug within M=
odPerl
2.0.4, though prefer not to disclose the details to  a public channel.=



 



The bug was found on a customer’s Linux based sy=
stem,
and further confirmed on a test bed system which was set up running ModPerl
2.0.4 and Apache 2.2.8 both with the latest patches to confirm that it was =
not
a configuration issue.



 



Please reply to me on a secure channel, and I will be =
more
than happy to provide further details.



 



Best Regards,



 



Richard









--_000_85452F8337EB1F46ABFEC605C93DDFB137752ECDDBPROCHKUPEXC H0_--

Re: Security Related BUG within ModPerl 2.0.4

am 01.03.2009 08:51:56 von wrowe

> I would like to report a security related bug within ModPerl 2.0.4,
> though prefer not to disclose the details to a public channel.

The appropriate secure channel for all ASF related security vulnerability
reporting is the closed list, security@apache.org, which will be triaged
to the appropriate committers or committee.

Re: Security Related BUG within ModPerl 2.0.4

am 01.03.2009 15:36:08 von Geoffrey Young

William A. Rowe, Jr. wrote:
>> I would like to report a security related bug within ModPerl 2.0.4,
>> though prefer not to disclose the details to a public channel.
>
> The appropriate secure channel for all ASF related security vulnerability
> reporting is the closed list, security@apache.org, which will be triaged
> to the appropriate committers or committee.

and thanks for treating a potential security vulnerability in a
thoughtful manner.

--Geoff