Date: Tue, 11 Dec 2012 10:56:44 -0600 From: Jamie Strandboge <jamie@...onical.com> To: coley@...us.mitre.org CC: oss-security@...ts.openwall.com, security <security@...ntu.com> Subject: CVE request: perl-modules Debian recently fixed the following security bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224 "Locale::Maketext is a core l10n library that expands templates found in strings. Two problems were found, reported, and patched-for by Brian Carlson of cPanel, and these fixes are now in blead and on the CPAN. The commit in question is http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8 The flaws are: * in a [method,x,y,z] template, the method could be a fully-qualified name * template expansion did not properly quote metacharacters, allowing code injection through a malicious template Please upgrade your Locale::Maketext, especially if you allow user-provided templates." -- Jamie Strandboge http://www.ubuntu.com/ Download attachment "signature.asc" of type "application/pgp-signature" (900 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.