Bug 7805 - perl-HTML-Template-Pro new security issue CVE-2011-4616
: perl-HTML-Template-Pro new security issue CVE-2011-4616
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/519847/
: MGA1-32-OK, MGA1-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-15 21:31 CEST by David Walser
Modified: 2012-10-20 17:40 CEST (History)
4 users (show)

See Also:
Source RPM: perl-HTML-Template-Pro-0.950.400-1.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-10-15 21:31:45 CEST
Fedora has issued an advisory on October 6:
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089888.html

Mageia 2 is not affected as this was fixed in 0.9507 and we have 0.9509.
Comment 1 Jerome Quelin 2012-10-16 14:07:15 CEST
perl-HTML-Template-Pro-0.950.900-1.mga1 is available in core/updates_testing
Comment 2 David Walser 2012-10-16 15:19:32 CEST
Thanks Jerome!

Advisory:
========================

Updated perl-HTML-Template-Pro packages fix security vulnerability:

Cross-site scripting (XSS) vulnerability in the HTML-Template-Pro module
before 0.9507 for Perl allows remote attackers to inject arbitrary web
script or HTML via template parameters, related to improper handling of
> (greater than) and < (less than) characters (CVE-2011-4616).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4616
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089888.html
Comment 3 Marc Lattemann 2012-10-17 20:29:19 CEST
tested successfully for mga1 i586 and x86_64
used script from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652587

As David already mentioned with this script mga2 is not affected.

Please use Advisory from Comment 2.

src-RPM: perl-HTML-Template-Pro-0.950.900-1.mga1.src.rpm

Can someone of the sysadmin-team push package to Updates? Thanks.
Comment 4 Thomas Backlund 2012-10-20 17:40:25 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0302

Note You need to log in before you can comment on or make changes to this bug.