Bug#702821: libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks t/perl/hash_attack.t
Niko Tyni
ntyni at debian.org
Mon Mar 11 20:47:45 UTC 2013
Package: libapache2-mod-perl2
Version: 2.0.7-2
Severity: serious
Control: found -1 2.0.4-7
X-Debbugs-Cc: team at security.debian.org, perl at packages.debian.org
As noted on the modperl users list in
http://mail-archives.apache.org/mod_mbox/perl-modperl/201303.mbox/%3C67B2BB40A61BE846B65EF4793B863D6C610AF5@ukmail02.planit.group%3E
the perl fix for CVE-2013-1667 (rehashing flaw) makes t/perl/hash_attack.t
in libapache2-mod-perl2 fail, so the latter package now fails to build
from source.
Verified on both squeeze and sid/wheezy.
t/perl/api.t ............................ ok
request has failed (the response code was: 500)
see t/logs/error_log for more details
t/perl/hash_attack.t ....................
Dubious, test returned 255 (wstat 65280, 0xff00)
Failed 1/1 subtests
[...]
Result: FAIL
Failed 1/242 test programs. 0/3534 subtests failed.
No patch yet, but according to Steve Hay in the above message
there is one floating around:
> I have seen a patch for it on the perl5-security list, and will
> hopefully apply it soon.
so it's probably best to wait a moment before disabling the test.
FWIW the SVN repository is at
svn co https://svn.apache.org/repos/asf/perl/modperl/trunk
and can be browsed at
http://svn.apache.org/viewvc/perl/modperl/trunk/
Cc'ing the security team. Once we have a fix, I suppose we'll need to
fix libapache2-mod-perl2 via stable-security?
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list