thr3ads.net - Secure testing team - [Secure-testing-team] Bug#626135: libmojolicious-perl: XSS vulnerability in the link

If this information is useful, please help other people find it:
Share via:

Salvatore Bonaccorso

2011-May-09 05:44 UTC

[Secure-testing-team] Bug#626135: libmojolicious-perl: XSS vulnerability in the link_to helper

Package: libmojolicious-perl
Version: 0.999926-1+squeeze1
Severity: grave
Tags: squeeze security
Justification: user security hole

Hi

libmojolicious-perl prior to 1.12 seems vulnerable to a cross-site
scripting vulnerability. 

The CVE for this issue is CVE-2011-1841 [1].

 [1] http://security-tracker.debian.org/tracker/CVE-2011-1841

Debian wheezy and unstable already have 1.21-1. Debian squeeze has
0.999926-1+squeeze1, which according to [2] is vulnerable.

 [2] http://www.securityfocus.com/bid/47713/info

Changelog for 1.12 contains:

        - Fixed XSS issue in link_to helper.

This seems to be fixed in upstream git commit
f6801ef7be8c78092e38f870b19fae3da0899d60 (but needs a check if we can
apply it to version in squeeze).

Bests
Salvatore

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Secure testing team - May 2011 - Bug#626135: libmojolicious-perl: XSS vulnerability in the link_to helper

[Secure-testing-team] Bug#626135: libmojolicious-perl: XSS vulnerability in the link_to helper