Bug 7805 - perl-HTML-Template-Pro new security issue CVE-2011-4616
Summary: perl-HTML-Template-Pro new security issue CVE-2011-4616
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/519847/
Whiteboard: MGA1-32-OK, MGA1-64-OK
Keywords: validated_update
Depends on:
Reported: 2012-10-15 21:31 CEST by David Walser
Modified: 2012-10-20 17:40 CEST (History)
4 users (show)

See Also:
Source RPM: perl-HTML-Template-Pro-0.950.400-1.mga1.src.rpm
Status comment:


Description David Walser 2012-10-15 21:31:45 CEST
Fedora has issued an advisory on October 6:

Mageia 2 is not affected as this was fixed in 0.9507 and we have 0.9509.
Comment 1 Jerome Quelin 2012-10-16 14:07:15 CEST
perl-HTML-Template-Pro-0.950.900-1.mga1 is available in core/updates_testing
Comment 2 David Walser 2012-10-16 15:19:32 CEST
Thanks Jerome!


Updated perl-HTML-Template-Pro packages fix security vulnerability:

Cross-site scripting (XSS) vulnerability in the HTML-Template-Pro module
before 0.9507 for Perl allows remote attackers to inject arbitrary web
script or HTML via template parameters, related to improper handling of
> (greater than) and < (less than) characters (CVE-2011-4616).

Comment 3 Marc Lattemann 2012-10-17 20:29:19 CEST
tested successfully for mga1 i586 and x86_64
used script from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652587

As David already mentioned with this script mga2 is not affected.

Please use Advisory from Comment 2.

src-RPM: perl-HTML-Template-Pro-0.950.900-1.mga1.src.rpm

Can someone of the sysadmin-team push package to Updates? Thanks.
Comment 4 Thomas Backlund 2012-10-20 17:40:25 CEST
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.