Vulnerability ?

am 06.05.2009 13:40:28 von Francois Pernet

This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.

--=__Part68432E3C.0__=
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Hi,
=20
We have received the following vulnerability report:
http://www.securityfocus.com/bid/23192/info
=20
I read the changes for the mod_perl versions but did not find anything =
really clear. We are using mod_perl version 2.0.3 compiled for Suse linux =
enterprise server 10 sp2 used with apache 2.0.x compiled also (we are not =
using rpm versions of these packages).
=20
Can somebody clarify if the vulnerability still present in version 2.0.3 =
and if we are obliged to move to version 2.0.4 ?
=20
Many thanks in advance
=20
Francois

--=__Part68432E3C.0__=
Content-Type: text/html; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML

">

Hi,

We have received the following vulnerability report:

http://www.sec=
urityfocus.com/bid/23192/info

I read the changes for the mod_perl versions but did not find =
anything really clear. We are using mod_perl version 2.0.3 compiled for =
Suse linux enterprise server 10 sp2 used with apache 2.0.x compiled also =
(we are not using rpm versions of these packages).

Can somebody clarify if the vulnerability still present in version =
2.0.3 and if we are obliged to move to version 2.0.4 ?

Many thanks in advance

Francois

--=__Part68432E3C.0__=--

Re: Vulnerability ?

am 06.05.2009 14:28:03 von Jeff Trawick

--000e0cd2457adbb41104693d8630
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

On Wed, May 6, 2009 at 7:40 AM, Francois Pernet wrote:

> Hi,
>
> We have received the following vulnerability report:
> http://www.securityfocus.com/bid/23192/info
>
> I read the changes for the mod_perl versions but did not find anything
> really clear. We are using mod_perl version 2.0.3 compiled for Suse linux
> enterprise server 10 sp2 used with apache 2.0.x compiled also (we are not
> using rpm versions of these packages).
>
> Can somebody clarify if the vulnerability still present in version 2.0.3
> and if we are obliged to move to version 2.0.4 ?
>

As listed on that securityfocus page, the CVE number is CVE-2007-1349.
Checking the Changes files for 2.0.3 and 2.0.4, you'll see that 2.0.4 has a
fix for that CVE but 2.0.3 doesn't. So 2.0.3 is vulnerable.

--000e0cd2457adbb41104693d8630
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Wed, May 6, 2009 at 7:40 AM, Francois Pernet =
<Francois.Pernet@idsa.ch> wrote:
ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s=
olid;padding-left:1ex;">

Hi,

=A0

We have received the following vulnerability report:

nk">http://www.securityfocus.com/bid/23192/info

=A0

I read the changes for the mod_perl versions but did not find anything=
really clear. We are using mod_perl version 2.0.3 compiled for Suse linux =
enterprise server 10 sp2 used with apache 2.0.x compiled also (we are not u=
sing rpm versions of these packages).

=A0

Can somebody clarify if the vulnerability still present in version 2.0=
..3 and if we are obliged to move to version 2.0.4 ?

As listed on that securityfocus page, the CVE number i=
s=A0CVE-2007-1349. =A0Checking the Changes files for 2.0.3 and 2.0.4, you&#=
39;ll see that 2.0.4 has a fix for that CVE but 2.0.3 doesn't. =A0So 2.=
0.3 is vulnerable.

--000e0cd2457adbb41104693d8630--

Re: Vulnerability ?

am 06.05.2009 18:01:17 von Perrin Harkins

For mod_perl 2 users, this only affects you if you use
ModPerl::PerlRun or ModPerl::Registry.

- Perrin

On Wed, May 6, 2009 at 7:40 AM, Francois Pernet wrote:
> Hi,
>
> We have received the following vulnerability report:
> http://www.securityfocus.com/bid/23192/info
>
> I read the changes for the mod_perl versions but did not find anything
> really clear. We are using mod_perl version 2.0.3 compiled for Suse linux
> enterprise server 10 sp2 used with apache 2.0.x compiled also (we are not
> using rpm versions of these packages).
>
> Can somebody clarify if the vulnerability still present in version 2.0.3 and
> if we are obliged to move to version 2.0.4 ?
>
> Many thanks in advance
>
> Francois