Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Moritz Muehlenhoff
jmm at inutil.org
Wed Dec 8 19:48:16 UTC 2010
On Wed, Dec 08, 2010 at 08:23:56PM +0100, gregor herrmann wrote:
> clone 606370 -1
> reassign -1 libcgi-simple-perl
> thanks
>
> On Wed, 08 Dec 2010 19:47:18 +0100, Moritz Muehlenhoff wrote:
>
> > Three security issues have been reported in libcgi-pm-perl:
> >
> > http://security-tracker.debian.org/tracker/CVE-2010-2761
> > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > http://security-tracker.debian.org/tracker/CVE-2010-4411
> >
> > The first two issues are fixed in 3.50 (already in sid), but
> > the second is still pending a final fix (see the referenced
> > link).
>
> http://security-tracker.debian.org/tracker/CVE-2010-4410 says:
> "CRLF injection vulnerability in the header function in (1) CGI.pm
> before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier ..."
>
> CGI::Simple is in libcgi-simple-perl, cloning/reassigning.
>
>
> Hm, and I'm a bit confused by "first two issues are fixed" and "the
> second ...". Let's look if I got it right:
>
> CVE-2010-2761:
> "The multipart_init function in (1) CGI.pm before 3.50 and (2)
> Simple.pm in CGI::Simple 1.112 and earlier"
> -> libcgi-simple-perl
> -> libcgi-pm-perl in squeeze and older
>
> CVE-2010-4410:
> "CRLF injection vulnerability in the header function in (1) CGI.pm
> before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier"
> -> libcgi-simple-perl
> -> libcgi-pm-perl in squeeze and older
>
> CVE-2010-4411:
> "Unspecified vulnerability in CGI.pm 3.50 and earlier"
> -> libcgi-pm-perl
Ack. Sorry for the confusion, I meant "third" instead of "second".
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list