Fedora has issued an advisory on June 4: https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108749.html Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
(In reply to David Walser from comment #0) > Fedora has issued an advisory on June 4: > https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108749. > html > > Mageia 2 and Mageia 3 are also affected. > > Reproducible: > > Steps to Reproduce: Hi David! This appears to already be fixed in the perl-Dancer that we have in Cauldron. Can we just upgrade the Dancer packages in Mageia 2 and Mageia 3 to their latest ones? Regards, -- Shlomi Fish
CC: (none) => shlomif
Upgrading the module is how we've handled some security issues with perl modules in the past, so yes that sounds fine. Thanks.
OK. I submitted perl-Dancer-1.311.500 {mga2,mga3} to http://pkgsubmit.mageia.org/ . One of them still has to build. I tested perl-Dancer for MGA2 and it seems fine. Regards, -- Shlomi Fish
Thanks Shlomi! Advisory: ======================== Updated perl-Dancer package fixes security vulnerability: A security flaw was found in the way Dancer.pm, lightweight yet powerful web application framework / Perl language module, performed sanitization of values to be used for cookie() and cookies() methods. A remote attacker could use this flaw to inject arbitrary headers into responses from (Perl) applications, that use Dancer.pm (CVE-2012-5572). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5572 https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108749.html ======================== Updated packages in core/updates_testing: ======================== perl-Dancer-1.311.500-1.mga2 perl-Dancer-1.311.500-1.mga3 from SRPMS: perl-Dancer-1.311.500-1.mga2.src.rpm perl-Dancer-1.311.500-1.mga3.src.rpm
CC: (none) => jquelinVersion: Cauldron => 3Assignee: jquelin => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Testing MGA2 x86_64 using an upstream unit test: https://github.com/PerlDancer/Dancer/blob/devel/t/12_response/11_CVE-2012-5572.t I confirm there's a flaw in current Mageia 2 package: $ perl test.pl 1..2 # Testing CVE-2012-5572 (CRLF in response headers) ok 1 - a route exists for GET /CVE-2012-5572-cookie not ok 2 - Headers do not contain CRLF (CVE-2012-5572) # Failed test 'Headers do not contain CRLF (CVE-2012-5572)' # at test.pl line 34. # Looks like you failed 1 test of 2. After installing the update candidate: # urpmi perl-Dancer --search-media testing $ perl test.pl 1..2 # Testing CVE-2012-5572 (CRLF in response headers) ok 1 - a route exists for GET /CVE-2012-5572-cookie ok 2 - Headers do not contain CRLF (CVE-2012-5572) => testing complete Note : it adds a new depency to perl-Module-Runtime apparently
Whiteboard: MGA2TOO => MGA2TOO has_procedure MGA2-64-OK
Testing complete mga2 32 Thanks for the procedure Samuel
Whiteboard: MGA2TOO has_procedure MGA2-64-OK => MGA2TOO has_procedure MGA2-64-OK mga2-32-ok
Testing complete mga3 32 & 64 No added requires on Mageia 3. Mageia 2 does as Samuel mentioned. I'll upload the advisory then validate
Whiteboard: MGA2TOO has_procedure MGA2-64-OK mga2-32-ok => MGA2TOO has_procedure MGA2-64-OK mga2-32-ok mga3-32-ok mga3-64-ok
Advisory uploaded Validating Could sysadmin please push from 2 & 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0183.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)