[Secure-testing-team] Bug#694279: libdancer-perl: Cookie name CRLF injection
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 24 23:49:25 UTC 2012
Package: libdancer-perl
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
Similar to #693421, CVE-2012-5526 it was reported[1] that
libdancer-perl's Dancer::Cookie also do not validate cookie name for
CRLF and other invalid symbols in headers. A patch however does not
seem to be present so far.
[1]: https://github.com/sukria/Dancer/issues/859
Regards,
Salvatore
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJQsV0BAAoJEHidbwV/2GP+L5gP/2B+f7DmIh7GZM7b/vJAVX1r
HKNqthkRkskiqILOOZpW/PyOA/f/sJfDICtXLmwU2Vg+wAeX6LbLTMpE09pkIyyJ
+5lfOffPT1fMxqcCI1miTuzDTrztBQrQtWVA0SU4XYw8qWTS8Eqg0lYoP7Y87n4I
Dbrg5HpVcgz7fgj0Cup0iD1Q0QOhrcSS3iSVN/T4T8MYSRfm8BJHr2ihPrq2N/Bk
qY+rsz49OuTgvZ9H7a53bFQLbaT9whnpEwtF2JvQLHicYWLl71iL4XwLFYIc/KzQ
shmlm2vHbUQV+vYaB6i0O9Pg1Ks5BnprOe0KT9cmxLREORZpRxdvi5+ivNFbcpTZ
l8xrF1Hr5RssLheh8rsX+EFx2Wfg3xCpAsDPtEK04//LEm6LtJbpE+QKxDq5Qn64
4zKPPAnBf7ebnbaPerj/PvhFdvAfjEs2I048OqAQJozlHDLtirC6MtynY0DP1O0N
4bYZfwGl5uu7WcnySMxizn4ydzE0FdR9OU+fMNUzsyT9STiCCPJQVqR3mNVixJI3
rCCRYWnSJVTwbiYz2BolS+NtVgtzqHYbk/hDvIbbzrVdJvhkQGToz5C8bdlplSrJ
9sNQrnYoMsqkRIT4VABqK/amBC2X+/B08NyH4p37ykQN1PNOtU0PU5QkgDLY2tVs
1k6Oa+K0b99BL0nOJfwW
=Fxk0
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list