A flaw was found in the httpd mod_perl Apache::Status module. If a site has the non default setting of making /perl-status page accessible, remote attackers could use that flaw to trick users or steal sensitive browser data. The original public announcement can be found here: http://marc.info/?l=apache-modperl&m=123862312808765&w=2 The CVE id mentioned in the above mail is wrong, CVE-2009-0796 is the proper CVE id.
Upstream patch: http://svn.apache.org/viewvc/perl/modperl/branches/1.x/lib/Apache/Status.pm?view=log&pathrev=761081
The Red Hat Security Response Team has rated this issue as having moderate security impact, a future mod_perl package update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Explanation: ------------ The vulnerability affects non default configuration of Apache HTTP web server, i.e cases, when access to Apache::Status and Apache2::Status resources is explicitly allowed via <Location /perl-status> httpd.conf configuration directive. Its occurrence can be prevented by using the default configuration for the Apache HTTP web server (not exporting /perl-status).
This also affects all current Fedora releases (10, 11, 12, and rawhide).
Upstream trunk commit: http://svn.apache.org/viewvc/perl/modperl/trunk/lib/Apache2/Status.pm?r1=607697& r2=760926
This was fixed in Fedora a while ago: * Tue Dec 08 2009 Joe Orton <jorton> - 2.0.4-10 - add security fix for CVE-2009-0796 (#544455)
I'm closing this as wontfix. It's fixed in newer versions of mod_perl, the actual threat here is very minimal.