| Summary: | perl-Dancer new security issue CVE-2012-5572 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | jquelin, shlomif, sysadmin-bugs |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/554228/ | ||
| Whiteboard: | MGA2TOO has_procedure MGA2-64-OK mga2-32-ok mga3-32-ok mga3-64-ok | ||
| Source RPM: | perl-Dancer-1.311.0-2.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-06-13 19:55:48 CEST
David Walser
2013-06-13 19:55:57 CEST
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO (In reply to David Walser from comment #0) > Fedora has issued an advisory on June 4: > https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108749. > html > > Mageia 2 and Mageia 3 are also affected. > > Reproducible: > > Steps to Reproduce: Hi David! This appears to already be fixed in the perl-Dancer that we have in Cauldron. Can we just upgrade the Dancer packages in Mageia 2 and Mageia 3 to their latest ones? Regards, -- Shlomi Fish CC:
(none) =>
shlomif Upgrading the module is how we've handled some security issues with perl modules in the past, so yes that sounds fine. Thanks. OK. I submitted perl-Dancer-1.311.500 {mga2,mga3} to http://pkgsubmit.mageia.org/ . One of them still has to build. I tested perl-Dancer for MGA2 and it seems fine.
Regards,
-- Shlomi Fish
Thanks Shlomi! Advisory: ======================== Updated perl-Dancer package fixes security vulnerability: A security flaw was found in the way Dancer.pm, lightweight yet powerful web application framework / Perl language module, performed sanitization of values to be used for cookie() and cookies() methods. A remote attacker could use this flaw to inject arbitrary headers into responses from (Perl) applications, that use Dancer.pm (CVE-2012-5572). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5572 https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108749.html ======================== Updated packages in core/updates_testing: ======================== perl-Dancer-1.311.500-1.mga2 perl-Dancer-1.311.500-1.mga3 from SRPMS: perl-Dancer-1.311.500-1.mga2.src.rpm perl-Dancer-1.311.500-1.mga3.src.rpm CC:
(none) =>
jquelin Testing MGA2 x86_64 using an upstream unit test: https://github.com/PerlDancer/Dancer/blob/devel/t/12_response/11_CVE-2012-5572.t I confirm there's a flaw in current Mageia 2 package: $ perl test.pl 1..2 # Testing CVE-2012-5572 (CRLF in response headers) ok 1 - a route exists for GET /CVE-2012-5572-cookie not ok 2 - Headers do not contain CRLF (CVE-2012-5572) # Failed test 'Headers do not contain CRLF (CVE-2012-5572)' # at test.pl line 34. # Looks like you failed 1 test of 2. After installing the update candidate: # urpmi perl-Dancer --search-media testing $ perl test.pl 1..2 # Testing CVE-2012-5572 (CRLF in response headers) ok 1 - a route exists for GET /CVE-2012-5572-cookie ok 2 - Headers do not contain CRLF (CVE-2012-5572) => testing complete Note : it adds a new depency to perl-Module-Runtime apparently Whiteboard:
MGA2TOO =>
MGA2TOO has_procedure MGA2-64-OK Testing complete mga2 32 Thanks for the procedure Samuel Whiteboard:
MGA2TOO has_procedure MGA2-64-OK =>
MGA2TOO has_procedure MGA2-64-OK mga2-32-ok Testing complete mga3 32 & 64 No added requires on Mageia 3. Mageia 2 does as Samuel mentioned. I'll upload the advisory then validate Whiteboard:
MGA2TOO has_procedure MGA2-64-OK mga2-32-ok =>
MGA2TOO has_procedure MGA2-64-OK mga2-32-ok mga3-32-ok mga3-64-ok Advisory uploaded Validating Could sysadmin please push from 2 & 3 core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update http://advisories.mageia.org/MGASA-2013-0183.html Status:
NEW =>
RESOLVED
Nicolas Vigier
2014-05-08 18:07:05 CEST
CC:
boklm =>
(none) |