Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411

Wed Dec 8 19:23:56 UTC 2010

clone 606370 -1 
reassign -1 libcgi-simple-perl
thanks

On Wed, 08 Dec 2010 19:47:18 +0100, Moritz Muehlenhoff wrote:

> Three security issues have been reported in libcgi-pm-perl:
> 
> http://security-tracker.debian.org/tracker/CVE-2010-2761 
> http://security-tracker.debian.org/tracker/CVE-2010-4410
> http://security-tracker.debian.org/tracker/CVE-2010-4411
> 
> The first two issues are fixed in 3.50 (already in sid), but
> the second is still pending a final fix (see the referenced
> link). 

http://security-tracker.debian.org/tracker/CVE-2010-4410 says:
"CRLF injection vulnerability in the header function in (1) CGI.pm
before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier ..."

CGI::Simple is in libcgi-simple-perl, cloning/reassigning.

Hm, and I'm a bit confused by "first two issues are fixed" and "the
second ...". Let's look if I got it right:

CVE-2010-2761:
"The multipart_init function in (1) CGI.pm before 3.50 and (2)
Simple.pm in CGI::Simple 1.112 and earlier"
-> libcgi-simple-perl
-> libcgi-pm-perl in squeeze and older

CVE-2010-4410:
"CRLF injection vulnerability in the header function in (1) CGI.pm
before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier"
-> libcgi-simple-perl
-> libcgi-pm-perl in squeeze and older

CVE-2010-4411:
"Unspecified vulnerability in CGI.pm 3.50 and earlier"
-> libcgi-pm-perl

Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: Donovan: Jennifer Juniper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101208/223e1ad7/attachment.pgp>