Bug 47847 – libapache2-mod-perl2: Multiple issues (4.2)

Bug 47847 - libapache2-mod-perl2: Multiple issues (4.2)


Summary:	libapache2-mod-perl2: Multiple issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.2-5-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-09-21 13:13 CEST by Quality Assurance
Modified:	2018-09-26 13:41 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2018-09-21 13:13:43 CEST

New Debian libapache2-mod-perl2 2.0.9~1624218-2+deb8u3 fixes:
This update addresses the following issue:
* arbitrary Perl code execution in the context of the user account via a  user-owned .htaccess (CVE-2011-2767)
* arbitrary Perl code execution in the context of the user account via a  user-owned .htaccess (CVE-2011-2767)
* arbitrary Perl code execution in the context of the user account via a  user-owned .htaccess (CVE-2011-2767)
* arbitrary Perl code execution in the context of the user account via a user-owned .htaccess (CVE-2011-2767)

Comment 1 Quality Assurance

2018-09-21 14:00:22 CEST

--- mirror/ftp/4.2/unmaintained/4.2-4/source/libapache2-mod-perl2_2.0.9~1624218-2+deb8u2.dsc
+++ apt/ucs_4.2-0-errata4.2-5/source/libapache2-mod-perl2_2.0.9~1624218-2+deb8u3.dsc
@@ -1,3 +1,14 @@
+2.0.9~1624218-2+deb8u3 [Tue, 18 Sep 2018 19:59:36 +0200] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2011-2767:
+    Jan Ingvoldstad discovered that libapache2-mod-perl2 allows attackers to
+    execute arbitrary Perl code by placing it in a user-owned .htaccess file,
+    because (contrary to the documentation) there is no configuration option
+    that permits Perl code for the administrator's control of HTTP request
+    processing without also permitting unprivileged users to run Perl code in
+    the context of the user account that runs Apache HTTP Server processes.
+
 2.0.9~1624218-2+deb8u2 [Wed, 14 Jun 2017 14:39:56 +0300] Niko Tyni <ntyni@debian.org>:
 
   * Patch the test suite for apache2_2.4.10-10+deb8u8 compatibility.

<http://10.200.17.11/4.2-5/#6689631644436615149>

Comment 2 Philipp Hahn

2018-09-21 16:12:22 CEST

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-5] 19907dfde4 Bug #47847: libapache2-mod-perl2 2.0.9~1624218-2+deb8u3
 doc/errata/staging/libapache2-mod-perl2.yaml | 6 ------
 1 file changed, 6 deletions(-)

[4.2-5] faaa27c79a Bug #47847: libapache2-mod-perl2 2.0.9~1624218-2+deb8u3
 doc/errata/staging/libapache2-mod-perl2.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

Comment 3 Erik Damrose

2018-09-26 13:41:46 CEST

<http://errata.software-univention.de/ucs/4.2/519.html>