You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by "Philippe M. Chiasson" <go...@cpan.org> on 2003/10/13 20:02:24 UTC
[ANNOUNCE] mod_perl-1.29
The URL
http://apache.org/dyn/closer.cgi/perl/mod_perl-1.29.tar.gz
or
http://www.perl.com/CPAN/modules/by-module/Apache/mod_perl-1.29.tar.gz
has entered CPAN as
file: $CPAN/authors/id/G/GO/GOZER/mod_perl-1.29.tar.gz
size: 378877 bytes
md5: 1491931790509b9af06fc037d02b0e7a
This release is a security release
I. Problem Description
When used in conjunction with Perl version 5.8.1, mod_perl 1.28 and
earlier versions are vulnerable to predictive random number
generation.
Specifically, starting with version 5.8.1, Perl's random number
generator is seeded during the Perl interpreter startup. As a
result of this, all child processes subsequently forked will use
the same seed, and thus generate identical random number series.
II. Details
The recently released Perl version 5.8.1 introduced randomization
of the seed used to generate hash keys. Previous versions of Perl
used a hardcoded seed, resulting in potentially predictable hash
key sequences.
Perl version 5.8.1 generates this seed during the Perl interpreter
startup, resulting in an identical random number generator seed
used for each subsequently forked process.
III. Impact
By monitoring the output of third party packages or application
code that make use of Perl's rand() function, an attacker might be
able to predict when the code will generate the same random number
again. This information could be used to defeat mechanisms which
rely on adequate pseudo-random number generation such as
authentication tokens and session identification.
IV. Affected systems
Only mod_perl 1.28 and earlier versions, in conjunction with Perl
5.8.1, are affected. In particular, no release from the
mod_perl-2.0-to-be development branch are affected.
Perl 5.8.1 built with non default options may not be affected. To
determine whether your Perl is affected, issue the following
command, which prints two numbers:
perl -le 'fork; print rand'
If the two numbers are identical, this perl is vulnerable.
V. Solution
Do one of the following:
1) Upgrade your vulnerable system to mod_perl 1.29.
2) If upgrading to mod_perl 1.29 is not possible, the following
workaround will circumvent the vulnerability:
Use the following command line to start your mod_perl enabled
Apache server:
PERL_HASH_SEED=`perl -le 'print int rand 9000000'` apachectl start
By specifying an explicit PERL_HASH_SEED environment variable,
Perl won't randomize its hash seed and srand() will be called
normally after forking.
Changes since 1.28:
Add a workaround for the 'rand' bug for perl 5.8.1 (compiled with
either -DUSE_HASH_SEED or -DUSE_HASH_SEED_EXPLICIT, which is the
default), causing all forked procs to produce the same rand
sequence. [Stas]
For Win32, add an INSTALL_LIB option to 'perl Makefile.PL' to
allow one to specify where to install mod_perl.lib. If not
given, this defaults to APACHE_SRC\libexec, if this exists.
Suggested by Steve Hay [randyk]
Fix t/net/perl/sym.pl (called by modules/symbol) not to affect other
tests (internal/http-get and internal/http-post, which were failing to
call exit) [Stas]
Fix Apache::ExtUtils to work with blead perl (it was breaking the
build) http://rt.perl.org/rt2/Ticket/Display.html?id=23803 [Stas]
On Win32 the uploaded file wasn't cleaned up (weither it's a bug in
CGI.pm or not), make sure we don't leave any dropped files around
[Steve Hay <st...@uk.radan.com>]
For Win32, keep drive letters in mod_perl.dsp to fix bug, reported
by DH <cr...@yahoo.com>, when compiling mod_perl in
cases where Apache and Perl are on different drives [Randy Kobes].
Add workaround to define statcache in Apache.xs so that
one can build on Win32 ActivePerl 8xx with LARGE_FILES
support [Randy Kobes]
+ Patches since 1.28 can be reviewed here:
http://www.apache.org/~gozer/mp1/1.28-dev/
--------------------------------------------------------------------------------
Philippe M. Chiasson /gozer\@(cpan|ectoplasm)\.org/ 88C3A5A5 (122FF51B/C634E37B)
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3 A5A5
Q: It is impossible to make anything foolproof because fools are so ingenious.
perl -e'$$=\${gozer};{$_=unpack(P7,pack(L,$$));/^JAm_pH\n$/&&print||$$++&&redo}'
Re: [ANNOUNCE] mod_perl-1.29
Posted by Sreeji K Das <sr...@yahoo.com>.
--- Stas Bekman <st...@stason.org> wrote: > Sreeji K
> Could it be that you were going through some proxy,
> and either the server has
> failed to give proper headers or the proxy is
> broken?
Yes I was using a proxy. However, I don't think it
was a proxy error, as I had downloaded a couple of
other files using the same lynx session; further lynx
detected the content-type & went till the 'save to
disk' screen. I guess it did not save for some reason
& did not tell me the reason (or I missed it !)
Anyway, now everything looks fine.
thx
Sreeji
________________________________________________________________________
Want to chat instantly with your online friends? Get the FREE Yahoo!
Messenger http://mail.messenger.yahoo.co.uk
Re: [ANNOUNCE] mod_perl-1.29
Posted by Stas Bekman <st...@stason.org>.
Sreeji K Das wrote:
> --- Stas Bekman <st...@stason.org> wrote: > Sreeji K >
> When did you do that? I have just tested and it
>
>>fetches 1.29. Could it be that
>>you had an older file laying around?
>
> hmm.. looks like that. I used lynx to download the
> file & the directory had an old file. I don't know why
> lynx never gave me an error message though ! I 'rm'd
> and downloaded the file & everything is fine. thx
Could it be that you were going through some proxy, and either the server has
failed to give proper headers or the proxy is broken?
> Btw, how about naming the file as
> mod_perl-<version>.tar.gz ? That seems the general
> practice everywhere.
it is named mod_perl-<version>.tar.gz, modperl-2.0-current.tar.gz is just a
symlink, which you can always download and it'll will give you the latest
version. it also allows us to keep the link always correct on the web-site,
and more important on those outdated mirrors that you can find on the web.
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
Re: [ANNOUNCE] mod_perl-1.29
Posted by Sreeji K Das <sr...@yahoo.com>.
--- Stas Bekman <st...@stason.org> wrote: > Sreeji K >
When did you do that? I have just tested and it
> fetches 1.29. Could it be that
> you had an older file laying around?
hmm.. looks like that. I used lynx to download the
file & the directory had an old file. I don't know why
lynx never gave me an error message though ! I 'rm'd
and downloaded the file & everything is fine. thx
Btw, how about naming the file as
mod_perl-<version>.tar.gz ? That seems the general
practice everywhere.
Sreeji
__________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another
> mod_perl Hacker
> http://stason.org/ mod_perl Guide --->
> http://perl.apache.org
> mailto:stas@stason.org http://use.perl.org
> http://apacheweek.com
> http://modperlbook.org http://apache.org
> http://ticketmaster.com
>
________________________________________________________________________
Want to chat instantly with your online friends? Get the FREE Yahoo!
Messenger http://mail.messenger.yahoo.co.uk
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [ANNOUNCE] mod_perl-1.29
Posted by Sreeji K Das <sr...@yahoo.com>.
--- Stas Bekman <st...@stason.org> wrote: > Sreeji K >
When did you do that? I have just tested and it
> fetches 1.29. Could it be that
> you had an older file laying around?
hmm.. looks like that. I used lynx to download the
file & the directory had an old file. I don't know why
lynx never gave me an error message though ! I 'rm'd
and downloaded the file & everything is fine. thx
Btw, how about naming the file as
mod_perl-<version>.tar.gz ? That seems the general
practice everywhere.
Sreeji
__________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another
> mod_perl Hacker
> http://stason.org/ mod_perl Guide --->
> http://perl.apache.org
> mailto:stas@stason.org http://use.perl.org
> http://apacheweek.com
> http://modperlbook.org http://apache.org
> http://ticketmaster.com
>
________________________________________________________________________
Want to chat instantly with your online friends? Get the FREE Yahoo!
Messenger http://mail.messenger.yahoo.co.uk
Re: [ANNOUNCE] mod_perl-1.29
Posted by Stas Bekman <st...@stason.org>.
Sreeji K Das wrote:
> Hi Philippe/Stas,
>
> When I downloaded
> http://perl.apache.org/dist/mod_perl-1.0-current.tar.gz
> I saw it was still 1.28. Is it on purpose ?
> However http://perl.apache.org/download/index.html
> shows the version as 1.29
When did you do that? I have just tested and it fetches 1.29. Could it be that
you had an older file laying around?
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
Re: [ANNOUNCE] mod_perl-1.29
Posted by Stas Bekman <st...@stason.org>.
Sreeji K Das wrote:
> Hi Philippe/Stas,
>
> When I downloaded
> http://perl.apache.org/dist/mod_perl-1.0-current.tar.gz
> I saw it was still 1.28. Is it on purpose ?
> However http://perl.apache.org/download/index.html
> shows the version as 1.29
When did you do that? I have just tested and it fetches 1.29. Could it be that
you had an older file laying around?
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [ANNOUNCE] mod_perl-1.29
Posted by Sreeji K Das <sr...@yahoo.com>.
Hi Philippe/Stas,
When I downloaded
http://perl.apache.org/dist/mod_perl-1.0-current.tar.gz
I saw it was still 1.28. Is it on purpose ?
However http://perl.apache.org/download/index.html
shows the version as 1.29
Sreeji
--- "Philippe M. Chiasson" <go...@cpan.org> wrote: >
The URL
>
>
http://apache.org/dyn/closer.cgi/perl/mod_perl-1.29.tar.gz
> or
>
>
http://www.perl.com/CPAN/modules/by-module/Apache/mod_perl-1.29.tar.gz
>
________________________________________________________________________
Want to chat instantly with your online friends? Get the FREE Yahoo!
Messenger http://mail.messenger.yahoo.co.uk
Re: [ANNOUNCE] mod_perl-1.29
Posted by Sreeji K Das <sr...@yahoo.com>.
Hi Philippe/Stas,
When I downloaded
http://perl.apache.org/dist/mod_perl-1.0-current.tar.gz
I saw it was still 1.28. Is it on purpose ?
However http://perl.apache.org/download/index.html
shows the version as 1.29
Sreeji
--- "Philippe M. Chiasson" <go...@cpan.org> wrote: >
The URL
>
>
http://apache.org/dyn/closer.cgi/perl/mod_perl-1.29.tar.gz
> or
>
>
http://www.perl.com/CPAN/modules/by-module/Apache/mod_perl-1.29.tar.gz
>
________________________________________________________________________
Want to chat instantly with your online friends? Get the FREE Yahoo!
Messenger http://mail.messenger.yahoo.co.uk
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org