| Summary: | perl(HTTP::Body) still affected by security issue CVE-2013-4407 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | perl-HTTP-Body-1.220.0-6.mga9.src.rpm | CVE: | CVE-2013-4407 |
| Status comment: | |||
|
Description
Nicolas Salguero
2024-04-09 10:08:14 CEST
Nicolas Salguero
2024-04-09 10:09:29 CEST
Whiteboard:
(none) =>
MGA9TOO
Lewis Smith
2024-04-09 20:56:34 CEST
Assignee:
bugsquad =>
perl Suggested advisory: ======================== The updated package really fixes a security vulnerability: HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module for Perl uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed. (CVE-2013-4407) References: https://www.openwall.com/lists/oss-security/2024/04/07/1 ======================== Updated package in core/updates_testing: ======================== perl-HTTP-Body-1.230.0-1.mga9 from SRPM: perl-HTTP-Body-1.230.0-1.mga9.src.rpm Status:
NEW =>
ASSIGNED
katnatek
2024-04-12 00:54:10 CEST
Keywords:
(none) =>
advisory Mageia9, x64 In the CVEs, some of the filenames offered as example exploits look extremely dangerous so it is a case of "don't try this at home". Updated the package without issues. Installed perl-Dancer as a test framework depending on perl-HTTP-Body. https://perldancer.org/quickstart presents enough information for a quick test. Following the tutorial to the letter led nowhere but a little modification did give access to the dance floor at localhost:5000. $ dancer gen -a MyWeb::App <Note not dancer2> The latest stable Dancer release is 1.3521, you are currently using 1.3520. Please check http://search.cpan.org/dist/Dancer/ for updates. + MyWeb-App + MyWeb-App/t + MyWeb-App/t/001_base.t + MyWeb-App/t/002_index_route.t + MyWeb-App/lib + MyWeb-App/lib/MyWeb + MyWeb-App/lib/MyWeb/App.pm + MyWeb-App/environments + MyWeb-App/environments/development.yml + MyWeb-App/environments/production.yml + MyWeb-App/views + MyWeb-App/views/layouts + MyWeb-App/views/layouts/main.tt + MyWeb-App/views/index.tt + MyWeb-App/config.yml + MyWeb-App/public + MyWeb-App/public/javascripts + MyWeb-App/public/javascripts/jquery.min.js + MyWeb-App/public/dispatch.cgi + MyWeb-App/public/css + MyWeb-App/public/css/style.css + MyWeb-App/public/css/error.css + MyWeb-App/public/dispatch.fcgi + MyWeb-App/public/500.html + MyWeb-App/public/404.html + MyWeb-App/public/images + MyWeb-App/bin + MyWeb-App/bin/app.pl + MyWeb-App/Makefile.PL + MyWeb-App/MANIFEST.SKIP $ tree -d MyWeb-App MyWeb-App ├── bin ├── environments ├── lib │ └── MyWeb ├── public │ ├── css │ ├── images │ └── javascripts ├── t └── views └── layouts $ plackup -r bin/app.pl <Note: app.pl not app.psgi> Watching bin/app.pl for file updates. [2666994] core @0.000003> PLACK_ENV is set (development) forcing PSGI handler in /usr/share/perl5/vendor_perl/Dancer/Handler.pm l. 33 [2666994] core @0.000308> loading Dancer::Handler::PSGI handler in /usr/share/perl5/vendor_perl/Dancer/Handler.pm l. 47 The introductory page appears at localhost:5000. This should be enough. Whiteboard:
(none) =>
MGA9-64-OK Tango, polka, or waltz? Validating, no matter which. CC:
(none) =>
andrewsfarm, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0127.html Status:
ASSIGNED =>
RESOLVED |