Otkrivene su dvije sigurnosne ranjivosti programskog paketa Perl, a udaljeni napadač ih može iskoristiti za umetanje i pokretanje proizvoljnog perl programskog koda.
Prva ranjivost je uzrokovana neodgovarajućim rukovanjem ulaznim podacima u funkciji "Digest->new()", dok se druga očituje kao preljev međuspremnika gomile u datoteci "Unicode.xs".
Posljedica:
Udaljeni napadač može iskoristiti ranjivosti za umetanje i izvođenje proizvoljnog programskog koda.
Rješenje:
Korisnicima se savjetuje korištenje službene programske nadogradnje.
---------------------------------------------------------------------------=
-----
Fedora Update Notification
FEDORA-2011-13874
2011-10-05 23:31:13
---------------------------------------------------------------------------=
-----
Name : perl
Product : Fedora 14
Version : 5.12.4
Release : 147.fc14
URL : http://www.perl.org/
Summary : Practical Extraction and Report Language
Description :
Perl is a high-level programming language with roots in C, sed, awk
and shell scripting. Perl is good at handling processes and files,
and is especially good at handling text. Perl's hallmarks are
practicality and efficiency. While it is used to do a lot of
different things, Perl's most common applications are system
administration utilities and web programming. A large proportion of
the CGI scripts on the web are written in Perl. You need the perl
package installed on your system so that your system can handle Perl
scripts.
Install this package if you want to program in Perl or enable your
system to handle Perl scripts.
---------------------------------------------------------------------------=
-----
Update Information:
This update fixes security bug in Digest object constructor (CVE-2011-3597)=
and in decoding Unicode string by interpreter (CVE-2011-2939).
---------------------------------------------------------------------------=
-----
ChangeLog:
* Wed Oct 5 2011 Petr Pisar <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4:5.12.4-147
- Fix CVE-2011-3597 (code injection in Digest) (bug #743010)
- Fix CVE-2011-2939 (heap overflow while decoding Unicode string) (bug #731=
246)
* Fri Jun 24 2011 Marcela Ma=C5=A1l=C3=A1=C5=88ov=C3=A1 <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.=
m> - 4:5.12.4-146
- every Fedora has different paths -> remove dirs, which were added in
previous commit
* Wed Jun 22 2011 Marcela Ma=C5=A1l=C3=A1=C5=88ov=C3=A1 <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.=
m> - 4:5.12.4-145
- update to minor update release 5.12.4
- Upstream changes: remove patch for lc tainting RT #87336,
- updated Module-CoreList v2.50 in tarball
- add un-owned but existing perl_vendorarch
* Wed Jun 1 2011 Marcela Ma=C5=A1l=C3=A1=C5=88ov=C3=A1 <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.=
m> - 4:5.12.3-144
- arm can't do parallel build
- add require EE::MM into IPC::Cmd 711486
* Fri Apr 1 2011 Marcela Ma=C5=A1l=C3=A1=C5=88ov=C3=A1 <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.=
m> - 4:5.12.3-143 =
- 692900 - lc launders tainted flag, RT #87336
* Thu Mar 10 2011 Tom Callaway <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4:5.12.3-142
- update ExtUtils::ParseXS to 2.2206 (current) to fix Wx build
* Mon Jan 24 2011 Marcela Ma=C5=A1l=C3=A1=C5=88ov=C3=A1 <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.=
m> - 4:5.12.3-141
- stable update 5.12.3
- add COMPAT
* Wed Dec 1 2010 Marcela Ma=C5=A1l=C3=A1=C5=88ov=C3=A1 <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.=
m> - 4:5.12.2-140
- create sub-package for CGI 3.49
- create sub-package for threads-shared
* Tue Nov 9 2010 Petr Pisar <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4:5.12.2-139
- Sub-package perl-Class-ISA (bug #651317)
* Mon Nov 8 2010 Marcela Ma=C5=A1l=C3=A1=C5=88ov=C3=A1 <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.=
m> - 4:5.12.2-138
- 643447 fix redefinition of constant C in h2ph (visible in git send mail,
XML::Twig test suite)
* Mon Nov 8 2010 Petr Pisar <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4:5.12.2-137
- Make perl(ExtUtils::ParseXS) version 4 digits long (bug #650882)
---------------------------------------------------------------------------=
-----
References:
[ 1 ] Bug #743010 - CVE-2011-3597 Perl Digest improper control of generat=
ion of code
https://bugzilla.redhat.com/show_bug.cgi?id=3D743010
[ 2 ] Bug #731246 - CVE-2011-2939 Perl decode_xs heap-based buffer overfl=
ow
https://bugzilla.redhat.com/show_bug.cgi?id=3D731246
---------------------------------------------------------------------------=
-----
This update can be installed with the "yum" update program. Use =
su -c 'yum update perl' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on t=
he
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
---------------------------------------------------------------------------=
-----
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke