-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2003.039 15-Sep-2003 ________________________________________________________________________ Package: perl (CGI.pm) Vulnerability: cross site scripting OpenPKG Specific: yes Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= perl-5.8.0-20030903 >= perl-5.8.0-20030915 OpenPKG 1.3 <= perl-5.8.0-1.3.0 >= perl-5.8.0-1.3.1 OpenPKG 1.2 <= perl-5.8.0-1.2.0 >= perl-5.8.0-1.2.1 Dependent Packages: none Description: This message is a continuation of OpenPKG-SA-2003.036-perl-www [0]. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0615 [1] to the problem described. This document also outlines an important problematic regarding the native load order of Perl modules. The CGI.pm module not only comes with the "perl-www" package but an ancient version 2.81 is also embedded into the "perl" package. The corrected packages mentioned above have the official fix backported to the embedded version. Be aware that all releases of OpenPKG up to and including 1.3 use Perl's native load order for modules where embedded modules are preferred over additional modules. This means that the CGI.pm embedded into the "perl" package is loaded before the sibling from the additional "perl-www" package is found. This inhibits the use and correction of additional modules with same name as embedded ones. It should be noted that beginning with perl-5.8.0-20030903 the load order is adjusted to prefer additional modules over embedded ones [2]. There are no plans modifiying the module load order of the "perl" package in existing releases. Although more intuitive, it would change existing behaviour and is likely to break existing installations. During the support lifecycle, security advisories and corrected packages will be issued for both embedded and additional packages. Please check whether you are affected by running "<prefix>/bin/rpm -q perl". If you have the "perl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get perl-5.8.0-1.3.1.src.rpm ftp> bye $ <prefix>/bin/rpm -v --checksig perl-5.8.0-1.3.1.src.rpm $ <prefix>/bin/rpm --rebuild perl-5.8.0-1.3.1.src.rpm $ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/perl-5.8.0-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.openpkg.org/security/OpenPKG-SA-2003.036-perl-www.html [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 [2] http://cvs.openpkg.org/chngview?cn=11997 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.2/UPD/perl-5.8.0-1.2.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/perl-5.8.0-1.3.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.2/UPD/ [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQE/ZdREgHWT4GPEy58RAkkGAKCRUtKz9JKDcvN/arW5+jrL+0UqIgCgw7U9 98GlCzZqIAZilnkwX39/jNs= =Sb5R -----END PGP SIGNATURE----- ______________________________________________________________________ The OpenPKG Project www.openpkg.org Project Announcement List [EMAIL PROTECTED]