Dvije ranjivosti su uočene u radu paketa perl-Mojolicious na operacijskim sustavima Fedora 13 i 14, a uspješnim napadačima omogućuju izvođenje XSS napada.
Paket:
perl-Mojolicious 0.x
Operacijski sustavi:
Fedora 13, Fedora 14
Kritičnost:
5.2/10
Problem:
neodgovarajuća provjera ulaznih podataka, pogreška u programskoj komponenti
Iskorištavanje:
udaljeno
Posljedica:
umetanje HTML i skriptnog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-1841, CVE-2010-4803
Izvorni ID preporuke:
FEDORA-2011-6465
Izvor:
Fedora
Problem:
Prva ranjivost se javlja u "link_to helper" modulu, a drugi propust se javlja zbog neodgovarajuće provjere HMAC-MD5 sažetka.
Posljedica:
Uspješno iskorištavanje ranjivosti omogućuje napadačima umetanje proizvoljnih web skripti ili HTML koda.
Rješenje:
Budući da je dostupna odgovarajuća nadogradnja, svi se korisnici ranjivog paketa upućuju na njenu primjenu.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-6465
2011-05-04 00:38:40
--------------------------------------------------------------------------------
Name : perl-Mojolicious
Product : Fedora 14
Version : 0.999929
Release : 3.fc14
URL : http://mojolicious.org/
Summary : A next generation web framework for Perl
Description :
Back in the early days of the web there was this wonderful Perl library
called CGI, many people only learned Perl because of it. It was simple
enough to get started without knowing much about the language and powerful
enough to keep you going, learning by doing was much fun. While most of the
techniques used are outdated now, the idea behind it is not. Mojolicious is
a new attempt at implementing this idea using state of the art technology.
--------------------------------------------------------------------------------
Update Information:
Attempt at CVE-2011-1841(#701719)
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 3 2011 Yanko Kaneti <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 0.999929-3
- Attempt at CVE-2011-1841(#701719)
* Sun Apr 17 2011 Yanko Kaneti <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 0.999929-2
- Security bugfix attempt.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #701719 - CVE-2011-1841 perl-Mojolicious: XSS vulnerability in
link_to helper [fedora-14]
https://bugzilla.redhat.com/show_bug.cgi?id=701719
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update perl-Mojolicious' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-6462
2011-05-04 00:38:34
--------------------------------------------------------------------------------
Name : perl-Mojolicious
Product : Fedora 13
Version : 0.999925
Release : 4.fc13
URL : http://mojolicious.org/
Summary : A next generation web framework for Perl
Description :
Back in the early days of the web there was this wonderful Perl library
called CGI, many people only learned Perl because of it. It was simple
enough to get started without knowing much about the language and powerful
enough to keep you going, learning by doing was much fun. While most of the
techniques used are outdated now, the idea behind it is not. Mojolicious is
a new attempt at implementing this idea using state of the art technology.
--------------------------------------------------------------------------------
Update Information:
Blind attempt at CVE-2010-4803(#701718) and CVE-2011-1841
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #701718 - CVE-2011-1841 CVE-2010-4803 perl-Mojolicious various
flaws [fedora-13]
https://bugzilla.redhat.com/show_bug.cgi?id=701718
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update perl-Mojolicious' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke