Perl module
Software Description:
- perl: Larry Wall's Practical Extraction and Report Language
Details:
It was discovered that the Safe.pm Perl module incorrectly handled
Safe::reval and Safe::rdo access restrictions. An attacker could use this
flaw to bypass intended restrictions and possibly execute arbitrary code.
(CVE-2010-1168, CVE-2010-1447)
It was discovered that the CGI.pm Perl module incorrectly handled certain
- Severity: 5/5
=============================================
I. VULNERABILITY
-------------------------
SmbClientParser perl module allows remote command execution.
II. BACKGROUND
-------------------------
SmbClientParser is a useful perl module to writing Netbios interactive
codes, is a wraper from linux smbclient command and can be downloaded
HMAC authentication requests. An unauthenticated remote attacker
could send specially crafted SNMPv3 traffic with a valid username
and gain access to the user's views without a valid authentication
passphrase. (CVE-2008-0960)
John Kortink discovered that the Net-SNMP Perl module did not correctly
check the size of returned values. If a user or automated system were
tricked into querying a malicious SNMP server, the application using
the Perl module could be made to crash, leading to a denial of service.
This did not affect Ubuntu 8.10. (CVE-2008-2292)
Synopsis
========
Multiple vulnerabilities have been discovered in the Net::DNS Perl
module, allowing for a Denial of Service and a cache poisoning attack.
Background
==========
Net::DNS is a Perl implementation of a DNS resolver.
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Zlib:
Off-by-one error in the inflate function in Zlib.xs in
Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
SpamAssassin, and possibly other products, allows context-dependent
attackers to cause a denial of service (hang or crash) via a crafted
zlib compressed stream that triggers a heap-based buffer overflow,
as exploited in the wild by Trojan.Downloader-71014 in June 2009
(CVE-2009-1391).
Package : libxml-atom-perl
Vulnerability : XML external entity expansion
Problem type : remote
Debian-specific: no
It was discovered that the XML::Atom Perl module did not disable
external entities when parsing XML from potentially untrusted sources.
This may allow attackers to gain read access to otherwise protected
ressources, depending on how the library is used.
For the stable distribution (squeeze), this problem has been fixed in
Problem type : remote
Debian-specific: no
Debian bug : 607479
CVE IDs : CVE-2011-2766
Ferdinand Smit discovered that libfcgi-perl, a Perl module for writing
FastCGI applications, is incorrectly restoring environment variables of
a prior request in subsequent requests. In some cases this may lead
to authentication bypasses or worse.
CVE ID : CVE-2009-0667
It was discovered that the ocsinventory-agent which is part of the
ocsinventory suite, a hardware and software configuration indexing service,
is prone to an insecure perl module search path. As the agent is started
via cron and the current directory (/ in this case) is included in the
default perl module path the agent scans every directory on the system
for its perl modules. This enables an attacker to execute arbitrary code
via a crafted ocsinventory-agent perl module placed on the system.
8.04 build, some Perl .ph files were missing from the resulting update.
This update fixes the problem. We apologize for the inconvenience.
Original advisory details:
Jonathan Smith discovered that the Archive::Tar Perl module did not
correctly handle symlinks when extracting archives. If a user or
automated system were tricked into opening a specially crafted tar file,
a remote attacker could over-write arbitrary files. (CVE-2007-4829)
Tavis Ormandy and Will Drewry discovered that Perl did not correctly
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Zlib:
Off-by-one error in the inflate function in Zlib.xs in
Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
SpamAssassin, and possibly other products, allows context-dependent
attackers to cause a denial of service (hang or crash) via a crafted
zlib compressed stream that triggers a heap-based buffer overflow,
as exploited in the wild by Trojan.Downloader-71014 in June 2009
(CVE-2009-1391).
Problem Description:
A vulnerability has been found and corrected in perl-Compress-Raw-Zlib:
Off-by-one error in the inflate function in Zlib.xs in
Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
SpamAssassin, and possibly other products, allows context-dependent
attackers to cause a denial of service (hang or crash) via a crafted
zlib compressed stream that triggers a heap-based buffer overflow,
as exploited in the wild by Trojan.Downloader-71014 in June 2009
(CVE-2009-1391).
Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A new version of the CGI Perl module has been released to CPAN,
which fixes several security bugs which directly affect Bugzilla
(these two security bugs where first discovered as affecting Bugzilla,
then identified as being bugs in CGI.pm itself).
Packages for 2009.0 are provided as of the Extended Maintenance
Archive::Tar.
Background
==========
Archive::Tar is a Perl module for creation and manipulation of tar
files.
Affected packages
=================
},
};
1;
--- CUT FollowSymLinks_to_OwnerMatch.pm ---
(This perl module is optional for cPanel users for automatic hooking into easyapache)
(Direct link to module http://69.93.178.39/FollowSymLinks_to_OwnerMatch.pm :: Place in /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache/ along with patch.)
Special thanks to: Patrick Pelanne for additional research along with the rest of the HG support team.
NOTE: Hostgator.com is seeking qualified Linux administrators! Please send your resume to jobs@hostgator.com
libperl5.8 5.8.7-10ubuntu1.2
Ubuntu 7.10:
libarchive-tar-perl 1.31-1ubuntu0.1
libperl5.8 5.8.8-7ubuntu3.4
perl-modules 5.8.8-7ubuntu3.4
Ubuntu 8.04 LTS:
libarchive-tar-perl 1.36-1ubuntu0.1
libperl5.8 5.8.8-12ubuntu0.3
perl-modules 5.8.8-12ubuntu0.3
compartment.
Background
==========
Safe is a Perl module to compile and execute code in restricted
compartments.
Affected packages
=================
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that the Compress::Raw::Zlib Perl module incorrectly
handled certain zlib compressed streams. If a user or automated system were
tricked into processing a specially crafted compressed stream or file, a
remote attacker could crash the application, leading to a denial of
service.
Problem Description:
A vulnerability has been found and corrected in perl-IO-Socket-SSL:
IO::Socket::SSL Perl module 1.35, when verify_mode is not VERIFY_NONE,
fails open to VERIFY_NONE instead of throwing an error when a
ca_file/ca_path cannot be verified, which allows remote attackers to
bypass intended certificate restrictions (CVE-2010-4334).
The updated packages have been patched to correct this issue.
Description: Bugzilla::WebService::User::offer_account_by_email does
not check the "createemailregexp" parameter, and thus
allows users to create accounts who would normally be
denied account creation.
The "emailregexp" parameter is still checked.
If you do not have the SOAP::Lite Perl module installed on
your Bugzilla system, your system is not vulnerable
(because the Bugzilla WebService will not be enabled).
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=395632
|
