Bug#626135: libmojolicious-perl: XSS vulnerability in the link_to helper
Moritz Muehlenhoff
jmm at inutil.org
Tue May 10 20:13:02 UTC 2011
On Mon, May 09, 2011 at 07:44:21AM +0200, Salvatore Bonaccorso wrote:
> Package: libmojolicious-perl
> Version: 0.999926-1+squeeze1
> Severity: grave
> Tags: squeeze security
> Justification: user security hole
>
> Hi
>
> libmojolicious-perl prior to 1.12 seems vulnerable to a cross-site
> scripting vulnerability.
>
> The CVE for this issue is CVE-2011-1841 [1].
>
> [1] http://security-tracker.debian.org/tracker/CVE-2011-1841
>
> Debian wheezy and unstable already have 1.21-1. Debian squeeze has
> 0.999926-1+squeeze1, which according to [2] is vulnerable.
>
> [2] http://www.securityfocus.com/bid/47713/info
>
> Changelog for 1.12 contains:
>
> - Fixed XSS issue in link_to helper.
>
> This seems to be fixed in upstream git commit
> f6801ef7be8c78092e38f870b19fae3da0899d60 (but needs a check if we can
> apply it to version in squeeze).
There's also CVE-2010-4803 and CVE-2010-4802, which have been
assigned to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622952#31
IIRC we postponed these two to push the more severe directory traversal
bug recently fixed.
Could you contact upstream and check/discuss the impact and
applicability to the Squeeze version?
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list