| Summary: | perl-CGI-Application new security issue CVE-2013-7329 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | ennael1, jquelin, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/588435/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok | ||
| Source RPM: | perl-CGI-Application-4.500.0-2.mga3.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
example.cgi
example.pm example.tmpl |
||
|
Description
David Walser
2014-02-20 16:09:39 CET
David Walser
2014-02-20 16:09:48 CET
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Updates now available in core/updates_testing for both mageia 3 and mageia 4. mgaeia 3: - perl-CGI-Application-4.500.0-2.1.mga3.src.rpm - perl-CGI-Application-4.500.0-2.1.mga3 mageia 4: - perl-CGI-Application-4.500.0-3.1.mga4.src.rpm - perl-CGI-Application-4.500.0-3.1.mga4 Since the module is providing a web framework, it's not really easy to test the new behaviour. However, as can be seen in the commit fixing the problem (https://github.com/markstos/CGI--Application/pull/15), a new test case has been added to the regression test-suite. I therefore propose to consider the bug fixed and to push the updates directly. Advisory: =============== This update fixes a security issue for CGI::Application. Previously when overloading seup() (which everyone does), one ALWAYS had dump_html as a default run-mode unless explicitely redefining it. This would unexpectedly dump a complete set of web query data and server environment information as an error page, thus leaking information. =============== URL:
(none) =>
https://rt.cpan.org/Public/Bug/Display.html?id=84403
claire robinson
2014-02-24 10:58:38 CET
Version:
Cauldron =>
4 Thanks Jerome. Just some typographical fixes here. Advisory: ======================== Updated perl-CGI-Application package fixes security vulnerability: When applications using CGI::Application overload setup(), which is normally the case, CGI::Application since version 4.19 has dump_html as a default run-mode unless the application explicitly redefines it. This unexpectedly dumps a complete set of web query data and server environment information as an error page, thus leaking information (CVE-2013-7329). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7329 http://openwall.com/lists/oss-security/2014/02/20/1 https://bugzilla.redhat.com/show_bug.cgi?id=1067180 ======================== Updated packages in core/updates_testing: ======================== perl-CGI-Application-4.500.0-2.1.mga3 perl-CGI-Application-4.500.0-3.1.mga4 from SRPMS: perl-CGI-Application-4.500.0-2.1.mga3.src.rpm perl-CGI-Application-4.500.0-3.1.mga4.src.rpm Created attachment 5004 [details] example.cgi Some test files to check the module basically works, from http://max.duestrade.it/Perl-module-CGI-Application.html example.cgi example.pm example.tmpl Put into the same directory, it should output some html.. $ perl example.cgi Content-Type: text/html; charset=ISO-8859-1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><title>Example</title></head> <body> <!-- this is the page section shown on the first access to 'example.cgi' --> <form method="post" action="example.cgi"> <p><input type="hidden" name="newState" value="authentication"/></p> <p>user: <input type="text" name="user"/></p> <p>password: <input type="password" name="password"/></p> <p><input type="submit" name="action" value="Login"/></p> </form> </body> </html> Created attachment 5005 [details]
example.pm
Created attachment 5006 [details]
example.tmpl
Testing complete mga3 32 Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure mga3-32-ok Testing complete mga3 64 Whiteboard:
MGA3TOO has_procedure mga3-32-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok Testing complete Mageia 4 i586, same procedure as Claire. Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok Testing complete Mageia 4 x86_64 CC:
(none) =>
ennael1
Anne Nicolas
2014-02-24 23:43:29 CET
Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64 =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0098.html Status:
NEW =>
RESOLVED https://rt.cpan.org/Public/Bug/Display.html?id=84403 URL:
https://rt.cpan.org/Public/Bug/Display.html?id=84403 =>
http://lwn.net/Vulnerabilities/588435/ |