-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:250 http://www.mandriva.com/security/ _______________________________________________________________________ Package : perl-CGI-Simple Date : December 9, 2010 Affected: Corporate 4.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in perl-CGI-Simple: The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172 (CVE-2010-2761). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2761 _______________________________________________________________________ Updated Packages: Corporate 4.0: b2e5ffba685cf732133e42fe1b82791d corporate/4.0/i586/perl-CGI-Simple-0.077-1.1.20060mlcs4.noarch.rpm e37ee0869e2fd9f4e875354edca20c6f corporate/4.0/SRPMS/perl-CGI-Simple-0.077-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 5231722e821a5478827e17293dd0836b corporate/4.0/x86_64/perl-CGI-Simple-0.077-1.1.20060mlcs4.noarch.rpm e37ee0869e2fd9f4e875354edca20c6f corporate/4.0/SRPMS/perl-CGI-Simple-0.077-1.1.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 04f4b7381ba21a1ba14845a06b680fb1 mes5/i586/perl-CGI-Simple-1.1-4.1mdvmes5.1.noarch.rpm 15d6dc30e4dbf78a7371c1715386f552 mes5/SRPMS/perl-CGI-Simple-1.1-4.1mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: bf81ab1b1798bb141b74c6f8e6d59630 mes5/x86_64/perl-CGI-Simple-1.1-4.1mdvmes5.1.noarch.rpm 15d6dc30e4dbf78a7371c1715386f552 mes5/SRPMS/perl-CGI-Simple-1.1-4.1mdvmes5.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNAMpimqjQ0CJFipgRAsKPAJ9gy8D5blvchEFe/KRmwMEFYtjWZQCgzSmG 3t2bZiJcPZFuhFYF28NTyJ0= =Xkba -----END PGP SIGNATURE-----