According to https://www.openwall.com/lists/oss-security/2024/04/07/1, perl(HTTP::Body) is still affected by CVE-2013-4407. Version 1.23 solves the problem. Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOSource RPM: (none) => perl-HTTP-Body-1.220.0-6.mga9.src.rpmCVE: (none) => CVE-2013-4407Status comment: (none) => Fixed upstream in 1.23 (1.230.0)
Assignee: bugsquad => perl
Suggested advisory: ======================== The updated package really fixes a security vulnerability: HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module for Perl uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, which makes it easier for remote attackers to conduct attacks by leveraging subsequent behavior that may assume the suffix is well-formed. (CVE-2013-4407) References: https://www.openwall.com/lists/oss-security/2024/04/07/1 ======================== Updated package in core/updates_testing: ======================== perl-HTTP-Body-1.230.0-1.mga9 from SRPM: perl-HTTP-Body-1.230.0-1.mga9.src.rpm
Status: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)Version: Cauldron => 9Assignee: perl => qa-bugsStatus comment: Fixed upstream in 1.23 (1.230.0) => (none)
Keywords: (none) => advisory
Mageia9, x64 In the CVEs, some of the filenames offered as example exploits look extremely dangerous so it is a case of "don't try this at home". Updated the package without issues. Installed perl-Dancer as a test framework depending on perl-HTTP-Body. https://perldancer.org/quickstart presents enough information for a quick test. Following the tutorial to the letter led nowhere but a little modification did give access to the dance floor at localhost:5000. $ dancer gen -a MyWeb::App <Note not dancer2> The latest stable Dancer release is 1.3521, you are currently using 1.3520. Please check http://search.cpan.org/dist/Dancer/ for updates. + MyWeb-App + MyWeb-App/t + MyWeb-App/t/001_base.t + MyWeb-App/t/002_index_route.t + MyWeb-App/lib + MyWeb-App/lib/MyWeb + MyWeb-App/lib/MyWeb/App.pm + MyWeb-App/environments + MyWeb-App/environments/development.yml + MyWeb-App/environments/production.yml + MyWeb-App/views + MyWeb-App/views/layouts + MyWeb-App/views/layouts/main.tt + MyWeb-App/views/index.tt + MyWeb-App/config.yml + MyWeb-App/public + MyWeb-App/public/javascripts + MyWeb-App/public/javascripts/jquery.min.js + MyWeb-App/public/dispatch.cgi + MyWeb-App/public/css + MyWeb-App/public/css/style.css + MyWeb-App/public/css/error.css + MyWeb-App/public/dispatch.fcgi + MyWeb-App/public/500.html + MyWeb-App/public/404.html + MyWeb-App/public/images + MyWeb-App/bin + MyWeb-App/bin/app.pl + MyWeb-App/Makefile.PL + MyWeb-App/MANIFEST.SKIP $ tree -d MyWeb-App MyWeb-App ├── bin ├── environments ├── lib │ └── MyWeb ├── public │ ├── css │ ├── images │ └── javascripts ├── t └── views └── layouts $ plackup -r bin/app.pl <Note: app.pl not app.psgi> Watching bin/app.pl for file updates. [2666994] core @0.000003> PLACK_ENV is set (development) forcing PSGI handler in /usr/share/perl5/vendor_perl/Dancer/Handler.pm l. 33 [2666994] core @0.000308> loading Dancer::Handler::PSGI handler in /usr/share/perl5/vendor_perl/Dancer/Handler.pm l. 47 The introductory page appears at localhost:5000. This should be enough.
Whiteboard: (none) => MGA9-64-OKCC: (none) => tarazed25
Tango, polka, or waltz? Validating, no matter which.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0127.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED