CGI 2.59 Deleted
Security Advisories
CVE-2012-5526
CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.
- http://www.securityfocus.com/bid/56562
- http://www.openwall.com/lists/oss-security/2012/11/15/6
- https://github.com/markstos/CGI.pm/pull/23
- http://www.securitytracker.com/id?1027780
- http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
- http://secunia.com/advisories/51457
- http://www.ubuntu.com/usn/USN-1643-1
- http://www.debian.org/security/2012/dsa-2586
- http://rhn.redhat.com/errata/RHSA-2013-0685.html
- http://secunia.com/advisories/55314
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80098
Fixed version: >=3.63
Reported: 2012-11-21
CVE-2011-2766
Usage of deprecated FCGI.pm API.
- https://rt.cpan.org/Public/Bug/Display.html?id=68380
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2766
Fixed version: >=3.56
Reported: 2011-11-08
Non-random MIME boundary.
Fixed version: >=3.50
Reported: 2010-11-08
Newlines in headers.
Fixed version: >=3.49
Reported: 2010-02-05
CVE-2010-4411
Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2010-2761.
- http://openwall.com/lists/oss-security/2010/12/01/3
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:008
- http://www.vupen.com/english/advisories/2011/0106
- http://www.bugzilla.org/security/3.2.9/
- http://secunia.com/advisories/43033
- https://bugzilla.mozilla.org/show_bug.cgi?id=591165
- http://www.vupen.com/english/advisories/2011/0207
- http://www.vupen.com/english/advisories/2011/0271
- http://www.vupen.com/english/advisories/2011/0212
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html
- http://secunia.com/advisories/43068
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
- http://secunia.com/advisories/43165
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html
- http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
Fixed version: >=3.50
Reported: 2010-12-06
CVE-2010-2761
The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.
- https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380
- http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes
- http://openwall.com/lists/oss-security/2010/12/01/1
- http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html
- http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm
- http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1
- http://openwall.com/lists/oss-security/2010/12/01/2
- http://openwall.com/lists/oss-security/2010/12/01/3
- https://bugzilla.mozilla.org/show_bug.cgi?id=600464
- http://osvdb.org/69588
- http://osvdb.org/69589
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:237
- http://www.vupen.com/english/advisories/2011/0076
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:250
- http://secunia.com/advisories/42877
- https://bugzilla.mozilla.org/show_bug.cgi?id=591165
- http://www.vupen.com/english/advisories/2011/0207
- http://www.bugzilla.org/security/3.2.9/
- http://secunia.com/advisories/43033
- http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html
- http://secunia.com/advisories/43147
- http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html
- http://www.vupen.com/english/advisories/2011/0249
- http://www.vupen.com/english/advisories/2011/0271
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html
- http://www.vupen.com/english/advisories/2011/0212
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
- http://secunia.com/advisories/43165
- http://secunia.com/advisories/43068
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html
- http://www.redhat.com/support/errata/RHSA-2011-1797.html
- http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
Fixed version: >=3.50
Reported: 2010-12-06
Kwalitee Issues
- has_meta_yml
-
Add a META.yml to the distribution. Your buildtool should be able to autogenerate it.
- has_changelog
-
Add a Changelog (best named 'Changes') to the distribution. It should list at least major changes implemented in newer versions.
- has_human_readable_license
-
Add a section called "LICENSE" to the documentation, or add a file named LICENSE to the distribution.
- has_license_in_source_file
-
Add =head1 LICENSE and the text of the license to the main module in your code.
- use_strict
-
Add 'use strict' (or its equivalents) to all modules, or convince us that your favorite module is well-known enough and people can easily see the modules are strictly written.
Error: CGI, CGI::Apache, CGI::Carp, CGI::Cookie, CGI::Fast, CGI::Push, CGI::Switch
- prereq_matches_use
-
List all used modules in META.yml requires
Error:
- FCGI
- no_pod_errors
-
Remove the POD errors. You can check for POD errors automatically by including Test::Pod to your test suite.
Error: CGI.pm-2.59/CGI.pm -- Around line 4453: Expected text after =item, not a number Around line 4457: Expected text after =item, not a number Around line 4461: Expected text after =item, not a number Around line 4933: Expected text after =item, not a number Around line 4937: Expected text after =item, not a number Around line 4942: Expected text after =item, not a number Around line 4947: Expected text after =item, not a number Around line 5043: Expected text after =item, not a number Around line 5047: Expected text after =item, not a number Around line 5058: Expected text after =item, not a number Around line 5063: Expected text after =item, not a number Around line 5245: Expected text after =item, not a number Around line 5251: Expected text after =item, not a number Around line 5260: Expected text after =item, not a number Around line 5264: Expected text after =item, not a number Around line 5270: Expected text after =item, not a number Around line 5315: Expected text after =item, not a number Around line 5323: Expected text after =item, not a number Around line 5330: Expected text after =item, not a number Around line 5336: Expected text after =item, not a number Around line 5343: Expected text after =item, not a number Around line 5398: Expected text after =item, not a number Around line 5404: Expected text after =item, not a number Around line 5409: Expected text after =item, not a number Around line 5415: Expected text after =item, not a number Around line 5457: Expected text after =item, not a number Around line 5461: Expected text after =item, not a number Around line 5469: Expected text after =item, not a number Around line 5476: Expected text after =item, not a number Around line 5481: Expected text after =item, not a number Around line 5488: Expected text after =item, not a number Around line 5536: Expected text after =item, not a number Around line 5544: Expected text after =item, not a number Around line 5595: Expected text after =item, not a number Around line 5600: Expected text after =item, not a number Around line 5641: Expected text after =item, not a number Around line 5646: Expected text after =item, not a number
- has_meta_json
-
Add a META.json to the distribution. Your buildtool should be able to autogenerate it.
- meta_yml_has_license
-
Define the license if you are using in Build.PL. If you are using MakeMaker (Makefile.PL) you should upgrade to ExtUtils::MakeMaker version 6.31.
- has_known_license_in_source_file
-
Add =head1 LICENSE and/or the proper text of the well-known license to the main module in your code.
- use_warnings
-
Add 'use warnings' (or its equivalents) to all modules, or convince us that your favorite module is well-known enough and people can easily see the modules warn when something bad happens.
Error: CGI, CGI::Apache, CGI::Carp, CGI::Cookie, CGI::Fast, CGI::Pretty, CGI::Push, CGI::Switch, CGI::Util
- consistent_version
-
Split the distribution, or fix the version numbers to make them consistent (use the highest version number to avoid version downgrade).
Error: 1.0,1.01,1.02,1.03,1.14,1.16,2.59
- has_separate_license_file
-
This is not a critical issue. Currently mainly informative for the CPANTS authors. It might be removed later.
Modules
Name | Abstract | Version | View |
---|---|---|---|
CGI | Simple Common Gateway Interface Class | 2.59 | metacpan |
CGI::Carp | CGI routines for writing to the HTTPD (or other) error log | 1.16 | metacpan |
CGI::Cookie | Interface to Netscape Cookies | 1.14 | metacpan |
CGI::Fast | CGI Interface for Fast CGI | 1.02 | metacpan |
CGI::Pretty | module to produce nicely formatted HTML code | 1.03 | metacpan |
CGI::Push | Simple Interface to Server Push | 1.01 | metacpan |
CGI::Util | 1.0 | metacpan |