Rapid7 Vulnerability & Exploit Database

CESA-2003:257: perl security update

Back to Search

CESA-2003:257: perl security update



Updated Perl packages that fix a security issue in Safe.pm and a cross-site scripting (XSS) vulnerability in CGI.pm are now available.

Perl is a high-level programming language commonly used for system administration utilities and Web programming. Two security issues have been found in Perl that affect the Perl packages shipped with CentOS Linux: When safe.pm versions 2.0.7 and earlier are used with Perl 5.8.0 and earlier, it is possible for an attacker to break out of safe compartments within Safe::reval and Safe::rdo by using a redefined @_ variable. This is due to the fact that the redefined @_ variable is not reset between successive calls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1323 to this issue. A cross-site scripting vulnerability was discovered in the start_form() function of CGI.pm. The vulnerability allows a remote attacker to insert a Web script via a URL fed into the form's action parameter. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0615 to this issue. Users of Perl are advised to upgrade to these erratum packages, which contain Perl 5.6.1 with backported security patches correcting these issues.


  • centos-upgrade-perl
  • centos-upgrade-perl-cgi
  • centos-upgrade-perl-cpan
  • centos-upgrade-perl-db_file
  • centos-upgrade-perl-ndbm_file
  • centos-upgrade-perl-suidperl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center