Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0135 Code Injection Vulnerability in Perl 4 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Perl Operating System: Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2010-2761 Member content until: Saturday, November 3 2012 Reference: ESB-2011.0540 OVERVIEW Oracle has addressed a vulnerability in Perl. IMPACT The following description of the vulnerability is from the NIST National Vulnerability Database: "The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172." [2] MITIGATION Oracle has provided an update for Solaris 10. Solaris 9 users should contact support. [1] REFERENCES [1] CVE-2010-2761 Code Injection Vulnerability in Perl https://blogs.oracle.com/sunsecurity/entry/cve_2010_2761_code_injection [2] Vulnerability Summary for CVE-2010-2761 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2761 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUGzxeu4yVqjM2NGpAQJ8+BAAiqO+K252U36qWz+MPzEK7N7G0LBGK/Bz jHX1PxsD2TvQbVWN/BYO/4fyuofiG/d8TPKqXZ23wADb0WpUpmWl7D8zBJZpm+EF aOwSV3XqgGrprwKA6bYSwEjpRNZmI+pYCy7l+u9MjVJvRgSncIB0PuVVJf8Jb3sp jsxGjs0NDTS6YRr/Gge+KpZspgu8krrL8X/X/6C5E77+X/A/uHrcLO5dsRNnaEPB 99Zv9A1LXNUCWNTTp0pKMooSb3cC30lkzOC+eCmKC6pxu0tyTIddDxcTUVM/KXZT Nft9nb2FoWVDyi08urqTNLx5VvIRt+YCjXoCUTF6dpm8CXedl9AEQS++7JVs2NjS DTw79kDowIOp9JlheJfzZPkAD/IoXoPoO5R8WB05BmB/bwVDYOGGDkcoOQAq1TWU LzoAR+7wO+ew13vtY8SuGw5tx4hKjIlqBtcfvxyVHgsxZgok6C6+fPDG3sZeU51L IK3XigEl2ktFQK/UXqO4wHxW9eXCcbcoVpbIpu5U9BZpoMCyFjrNJCH0A3BJVO6O PNJsdSnregvbUPTeChQGJy5eel1gVyWZGZUrSBJy6Y7mdQSLjVupYfbmXoyeiWut 2tnw35v3cp7aDw+uyWPb/Ik6yoL1jWx7ecxTkUtyjdEALG224IB78a7qeC6XLQgk +z17l6SEEn0= =hX+6 -----END PGP SIGNATURE-----