Debian has issued an advisory today (November 21):
RedHat has rated this as a high severity issue:
A patch was written by a Debian developer, there's a link to the commit here:
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.
Updated perl-HTTP-Body package fixes security vulnerability:
Jonathan Dolle reported a design error in HTTP::Body, a Perl module for
processing data from HTTP POST requests. The HTTP body multipart parser
creates temporary files which preserve the suffix of the uploaded file.
An attacker able to upload files to a service that uses
HTTP::Body::Multipart could potentially execute commands on the server
if these temporary filenames are used in subsequent commands without
further checks (CVE-2013-4407).
Updated packages in core/updates_testing:
Steps to Reproduce:
Just checking that the sample script on cpan doesn't cause errors
It actually does error due to it missing a ; after
$body->param_order towards the end, but when that is fixed..
Testing complete mga2 32 & 64 and mga3 32 & 64
Validating. Advisory uploaded.
Could sysadmin please push from 2&3 core/updates_testing to updates
MGA2TOO has_procedure =>
MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: