Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Nov 2012 13:06:55 -0500 (EST)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>, Sawyer X <>,
        Petr Pisar <>
Subject: CVE Request -- / perl-Dancer / libdancer-perl: Newline
 injection due to improper CRLF escaping in cookie() and cookies() methods
 (different vulnerability than CVE-2012-5526)

Hello Kurt, Steve, vendors,

  a security flaw was found in the way,
lightweight yet powerful web application framework
/ Perl language module, performed sanitization of
values to be used for cookie() and cookies() methods.
A remote attacker could use this flaw to inject arbitrary
headers into responses from (Perl) applications, that use A different vulnerability than CVE-2012-5526.


Could you allocate a CVE id for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: The issue is different / unrelated than similar
      recent, CVE-2012-5526, flaw (the presence
      / absence of the CVE-2012-5526 fix doesn't
      have impact on it).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.