RHSA-2011:0558: perl security and bug fix update
Description
Perl is a high-level programming language commonly used for systemadministration utilities and web programming. The Perl CGI module providesresources for preparing and processing Common Gateway Interface (CGI) basedHTTP requests and responses.It was found that the Perl CGI module used a hard-coded value for the MIMEboundary string in multipart/x-mixed-replace content. A remote attackercould possibly use this flaw to conduct an HTTP response splitting attackvia a specially-crafted HTTP request. (CVE-2010-2761)A CRLF injection flaw was found in the way the Perl CGI module processed asequence of non-whitespace preceded by newline characters in the header. Aremote attacker could use this flaw to conduct an HTTP response splittingattack via a specially-crafted sequence of characters provided to the CGImodule. (CVE-2010-4410)It was found that certain Perl string manipulation functions (such as uc()and lc()) failed to preserve the taint bit. A remote attacker could usethis flaw to bypass the Perl taint mode protection mechanism in scriptsthat use the affected functions to process tainted input. (CVE-2011-1487)These packages upgrade the CGI module to version 3.51. Refer to the CGImodule's Changes file, linked to in the References, for a full list ofchanges.This update also fixes the following bugs:CPAN: checksum security checks disabled because Digest::SHA not installed.Please consider installing the Digest::SHA module.This update corrects the spec file for the perl package to require theperl-Digest-SHA package as a dependency, and cpan no longer displays theabove message. (BZ#640716)Users of Perl, especially those of Perl threads, are advised to upgrade tothese updated packages, which correct these issues.
Solution(s)
- redhat-upgrade-perl
- redhat-upgrade-perl-archive-extract
- redhat-upgrade-perl-archive-tar
- redhat-upgrade-perl-cgi
- redhat-upgrade-perl-compress-raw-zlib
- redhat-upgrade-perl-compress-zlib
- redhat-upgrade-perl-core
- redhat-upgrade-perl-cpan
- redhat-upgrade-perl-cpanplus
- redhat-upgrade-perl-debuginfo
- redhat-upgrade-perl-devel
- redhat-upgrade-perl-digest-sha
- redhat-upgrade-perl-extutils-cbuilder
- redhat-upgrade-perl-extutils-embed
- redhat-upgrade-perl-extutils-makemaker
- redhat-upgrade-perl-extutils-parsexs
- redhat-upgrade-perl-file-fetch
- redhat-upgrade-perl-io-compress-base
- redhat-upgrade-perl-io-compress-zlib
- redhat-upgrade-perl-io-zlib
- redhat-upgrade-perl-ipc-cmd
- redhat-upgrade-perl-libs
- redhat-upgrade-perl-locale-maketext-simple
- redhat-upgrade-perl-log-message
- redhat-upgrade-perl-log-message-simple
- redhat-upgrade-perl-module-build
- redhat-upgrade-perl-module-corelist
- redhat-upgrade-perl-module-load
- redhat-upgrade-perl-module-load-conditional
- redhat-upgrade-perl-module-loaded
- redhat-upgrade-perl-module-pluggable
- redhat-upgrade-perl-object-accessor
- redhat-upgrade-perl-package-constants
- redhat-upgrade-perl-params-check
- redhat-upgrade-perl-parent
- redhat-upgrade-perl-parse-cpan-meta
- redhat-upgrade-perl-pod-escapes
- redhat-upgrade-perl-pod-simple
- redhat-upgrade-perl-suidperl
- redhat-upgrade-perl-term-ui
- redhat-upgrade-perl-test-harness
- redhat-upgrade-perl-test-simple
- redhat-upgrade-perl-time-hires
- redhat-upgrade-perl-time-piece
- redhat-upgrade-perl-version
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center