Fedora has issued an advisory on November 16: http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093398.html Fixed upstream in 3.63, Mageia 1, Mageia 2, and Cauldron should all be affected.
Whiteboard: (none) => MGA2TOO, MGA1TOO
perl-CGI 3.63 available in core/updates_testing for both mageia 1 & mageia 2. cauldron is already up to date. qa : please validate & push to updates
Assignee: jquelin => qa-bugs
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Just need an advisory please.
CC: (none) => jquelin
Taken from fedora's advisory: Fix CVE-2012-5526: escape new-lines in Set-Cookie and P3P HTTP response headers properly.
Thanks Jerome! Advisory: ======================== Updated perl-CGI package fixes security vulnerability: CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm (CVE-2012-5526). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5526 http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093398.html ======================== Updated packages in core/updates_testing: ======================== perl-CGI-3.630.0-1.mga1 perl-CGI-3.630.0-1.mga2 from SRPMS: perl-CGI-3.630.0-1.mga1.src.rpm perl-CGI-3.630.0-1.mga2.src.rpm
Possible PoC: https://bugzilla.redhat.com/show_bug.cgi?id=876974
Testing complete mga2 64 Confirmed the PoC. Before ------ $ perl test8036 P3P: policyref="/w3c/p3p.xml", CP="foo bar baz" Set-Cookie: foo bar baz Date: Thu, 29 Nov 2012 13:04:20 GMT Content-Type: text/html; charset=ISO-8859-1 After ----- $ perl test8036 Invalid header value contains a newline not followed by whitespace: foo bar baz at (eval 3) line 34.
Whiteboard: MGA1TOO => MGA1TOO has_procedure mga2-64-OK
Mga1 is affected by bug 2317 ---------------------------------------- Mageia release 1 (Official) for i586 Latest version found in "Core Release" is perl-CGI-3.520.0-1.mga1 Latest version found in "Core Updates Testing" is perl-CGI-3.630.0-1.mga1 ---------------------------------------- The following packages will require linking: perl-Test-Harness-3.230.0-1.mga1 (Core Release) perl-Test-Simple-0.980.0-1.mga1 (Core Release) ----------------------------------------
Depends on: (none) => 2317
Testing complete mga1 32
Whiteboard: MGA1TOO has_procedure mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga2-64-OK
Testing complete mga1 64
Whiteboard: MGA1TOO has_procedure mga1-32-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK
Testing complete Mageia 2 i586. Could someone from the sysadmin team push the srpm perl-CGI-3.630.0-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm perl-CGI-3.630.0-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates and link the rpm packages perl-Test-Harness-3.230.0-1.mga1 (Core Release) perl-Test-Simple-0.980.0-1.mga1 (Core Release) from Mageia 1 Core Release to Core Updates. Advisory: Updated perl-CGI package fixes security vulnerability: CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm (CVE-2012-5526). https://bugs.mageia.org/show_bug.cgi?id=8236
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO has_procedure mga1-32-OK mga1-64-OK mga2-64-OK mga2-32-OK
Packages linked and update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0346
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED