Bug#739505: libcgi-application-perl: security flaw introduced in v4.19 may expose internal secrets
F.Behrens
debian-io at fionn.de
Wed Feb 19 13:28:15 UTC 2014
Package: libcgi-application-perl
Version: 4.31-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
An API change indroduced in 2008 alrealy (commit 61d327646f01fe) may cause
unexpected and unwanted data dumps of a complete set of web query data and
environment to the public. Developers of web apps written before the change are
probably unaware of the problem since the general behaviour does change only
in the case of a software error.
The issue has already been reported here:
https://rt.cpan.org/Ticket/Display.html?id=84403
A patch has already been suggested here:
https://rt.cpan.org/Ticket/Display.html?id=84403
IMHO you should consider a security backport of the patch for all
affected package versions.
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/24 CPU cores)
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash
Versions of packages libcgi-application-perl depends on:
ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction
ii perl-modules 5.10.1-17squeeze3 Core Perl modules
libcgi-application-perl recommends no packages.
Versions of packages libcgi-application-perl suggests:
ii libhtml-template-perl 2.9-2 module for using HTML Templates wi
-- no debconf information
More information about the pkg-perl-maintainers
mailing list