Conectiva Affected

Updated:  July 30, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : perl SUMMARY : CGI.pm cross site scripting vulnerability DATE : 2003-07-29 14:53:00 ID : CLA-2003:713 RELEVANT RELEASES : 8, 9 DESCRIPTION Perl is a high-level interpreted programming language well known for its flexibility and ability to work with text streams. obscure@eyeonsecurity.org reported[1] a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package. SOLUTION It is recommended that all users of the CGI.pm module upgrade their packages. REFERENCES 1. http://eyeonsecurity.org/advisories/CGI.pm/adv.html UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/8/SRPMS/perl-5.6.1-19U80_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/miniperl-5.6.1-19U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/perl-5.6.1-19U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/perl-base-5.6.1-19U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/perl-devel-5.6.1-19U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/perl-devel-static-5.6.1-19U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/perl-doc-5.6.1-19U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/perl-lib-5.6.1-19U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/perl-modules-5.6.1-19U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/perl-utils-5.6.1-19U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/perl-5.8.0-28837U90_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libperl5.8-5.8.0-28837U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/miniperl-5.8.0-28837U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/perl-5.8.0-28837U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/perl-base-5.8.0-28837U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/perl-devel-5.8.0-28837U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/perl-devel-static-5.8.0-28837U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/perl-doc-5.8.0-28837U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/perl-modules-5.8.0-28837U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/perl-suidperl-5.8.0-28837U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/perl-utils-5.8.0-28837U90_2cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/JrTl42jd0JmAcZARAtRNAJ4uB+6hcCH4ZgrT48bZDKAfAepEIACZAY1g FFwRu7idOx17DAywH+M8UKA= =z88h -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian Affected

Updated:  August 21, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Debian Security Team has released Debian Security Advisory DSA-371 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

Lincoln Stein Affected

Updated:  October 07, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Versions 2.94 and later of the CGI.pm module contain a patch for this vulnerability. The primary distribution site for CGI.pm is Users building the Perl system or CGI.pm from source code are encouraged to get an updated version of the software. Users of prepackaged versions of the Perl system are encouraged to check the Vendors section of this Vulnerability Note for more information.

MandrakeSoft Affected

Updated:  September 02, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has released Mandrake Linux Security Update Advisory MDKSA-2003:084 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

OpenBSD Affected

Updated:  September 02, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The OpenBSD development team committed a patch for this vulnerability into their source code repository on 2003-07-23 and into the OPENBSD_3_2 and OPENBSD_3_3 branches on 2003-08-19: http://marc.theaimsgroup.com/?l=openbsd-cvs&m=105892463517131&w=2 http://marc.theaimsgroup.com/?l=openbsd-cvs&m=106131738919399&w=2 http://marc.theaimsgroup.com/?l=openbsd-cvs&m=106131742419423&w=2

OpenPKG Affected

Updated:  October 07, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The OpenPKG Security Team has released OpenPKG Security Advisories OpenPKG-SA-2003.036 and OpenPKG-SA-2003.039 in response to this issue. Users are encouraged to review these advisories and apply the patches they refer to.

Red Hat Inc. Affected

Updated:  October 07, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat, Inc. has released Red Hat Security Advisory RHSA-2003:256 in response to this issue. Users are encouraged to review this advisory and apply the patches that it refers to.

SCO Affected

Updated:  November 13, 2003

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SCO Security Advisory Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability. Advisory number: CSSA-2003-SCO.30 Issue date: 2003 November 06 Cross reference: sr883606 fz528215 erg712409 1. Problem Description Perl is a high-level interpreted programming language well known for its flexibility and ability to work with text streams. Obscure^ (obscure@eyeonsecurity.org) reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package. 2. Vulnerable Supported Versions System Binaries OpenServer 5.0.7 Perl distribution OpenServer 5.0.6 Perl distribution OpenServer 5.0.5 Perl distribution 3. Solution The proper solution is to install the latest packages. 4. OpenServer 5.0.7 4.1 First install Maintenance Pack 1 ftp://ftp.sco.com/pub/openserver5/507/osr507mp/ 4.2 Next install gxwlibs ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29 4.2 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30 4.3 Verification MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1 MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350 MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.4 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 5. OpenServer 5.0.6 / OpenServer 5.0.5 5.1 First install OSS646B - Execution Environment Supplement ftp://ftp.sco.com/pub/openserver5/oss646b 5.2 Next install gwxlibs ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29 5.3 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30 5.4 Verification MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1 MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350 MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.5 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2 http://eyeonsecurity.org/advisories/CGI.pm/adv.html SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr883606 fz528215 erg712409. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgments SCO would like to thank Obscure^ for reporting this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5) iD8DBQE/qve+aqoBO7ipriERAqUtAJ9MBKogbCSdqJ8UrBA6YDmu2dXosQCgiaI9 LzUtvWmI6sIIeitugMgsyRg= =2/ex -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems Inc. Affected

Updated:  February 11, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Microsystems has published Sun Alert ID #57473 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.