Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0135
Code Injection Vulnerability in Perl
4 October 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Perl
Operating System: Solaris
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-2761
Member content until: Saturday, November 3 2012
Reference: ESB-2011.0540
OVERVIEW
Oracle has addressed a vulnerability in Perl.
IMPACT
The following description of the vulnerability is from the NIST
National Vulnerability Database:
"The multipart_init function in (1) CGI.pm before 3.50 and (2)
Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of
the MIME boundary string in multipart/x-mixed-replace content, which
allows remote attackers to inject arbitrary HTTP headers and conduct
HTTP response splitting attacks via crafted input that contains this
value, a different vulnerability than CVE-2010-3172." [2]
MITIGATION
Oracle has provided an update for Solaris 10. Solaris 9 users should
contact support. [1]
REFERENCES
[1] CVE-2010-2761 Code Injection Vulnerability in Perl
https://blogs.oracle.com/sunsecurity/entry/cve_2010_2761_code_injection
[2] Vulnerability Summary for CVE-2010-2761
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2761
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUGzxeu4yVqjM2NGpAQJ8+BAAiqO+K252U36qWz+MPzEK7N7G0LBGK/Bz
jHX1PxsD2TvQbVWN/BYO/4fyuofiG/d8TPKqXZ23wADb0WpUpmWl7D8zBJZpm+EF
aOwSV3XqgGrprwKA6bYSwEjpRNZmI+pYCy7l+u9MjVJvRgSncIB0PuVVJf8Jb3sp
jsxGjs0NDTS6YRr/Gge+KpZspgu8krrL8X/X/6C5E77+X/A/uHrcLO5dsRNnaEPB
99Zv9A1LXNUCWNTTp0pKMooSb3cC30lkzOC+eCmKC6pxu0tyTIddDxcTUVM/KXZT
Nft9nb2FoWVDyi08urqTNLx5VvIRt+YCjXoCUTF6dpm8CXedl9AEQS++7JVs2NjS
DTw79kDowIOp9JlheJfzZPkAD/IoXoPoO5R8WB05BmB/bwVDYOGGDkcoOQAq1TWU
LzoAR+7wO+ew13vtY8SuGw5tx4hKjIlqBtcfvxyVHgsxZgok6C6+fPDG3sZeU51L
IK3XigEl2ktFQK/UXqO4wHxW9eXCcbcoVpbIpu5U9BZpoMCyFjrNJCH0A3BJVO6O
PNJsdSnregvbUPTeChQGJy5eel1gVyWZGZUrSBJy6Y7mdQSLjVupYfbmXoyeiWut
2tnw35v3cp7aDw+uyWPb/Ik6yoL1jWx7ecxTkUtyjdEALG224IB78a7qeC6XLQgk
+z17l6SEEn0=
=hX+6
-----END PGP SIGNATURE-----