CGI 2.21 Deleted
Security Advisories
CVE-2012-5526
CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.
- http://www.securityfocus.com/bid/56562
- http://www.openwall.com/lists/oss-security/2012/11/15/6
- https://github.com/markstos/CGI.pm/pull/23
- http://www.securitytracker.com/id?1027780
- http://cpansearch.perl.org/src/MARKSTOS/CGI.pm-3.63/Changes
- http://secunia.com/advisories/51457
- http://www.ubuntu.com/usn/USN-1643-1
- http://www.debian.org/security/2012/dsa-2586
- http://rhn.redhat.com/errata/RHSA-2013-0685.html
- http://secunia.com/advisories/55314
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80098
Fixed version: >=3.63
Reported: 2012-11-21
CVE-2011-2766
Usage of deprecated FCGI.pm API.
- https://rt.cpan.org/Public/Bug/Display.html?id=68380
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2766
Fixed version: >=3.56
Reported: 2011-11-08
Non-random MIME boundary.
Fixed version: >=3.50
Reported: 2010-11-08
Newlines in headers.
Fixed version: >=3.49
Reported: 2010-02-05
CVE-2010-4411
Unspecified vulnerability in CGI.pm 3.50 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2010-2761.
- http://openwall.com/lists/oss-security/2010/12/01/3
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:008
- http://www.vupen.com/english/advisories/2011/0106
- http://www.bugzilla.org/security/3.2.9/
- http://secunia.com/advisories/43033
- https://bugzilla.mozilla.org/show_bug.cgi?id=591165
- http://www.vupen.com/english/advisories/2011/0207
- http://www.vupen.com/english/advisories/2011/0271
- http://www.vupen.com/english/advisories/2011/0212
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html
- http://secunia.com/advisories/43068
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
- http://secunia.com/advisories/43165
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html
- http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
Fixed version: >=3.50
Reported: 2010-12-06
CVE-2010-2761
The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.
- https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb7262eea59b380
- http://cpansearch.perl.org/src/LDS/CGI.pm-3.50/Changes
- http://openwall.com/lists/oss-security/2010/12/01/1
- http://www.nntp.perl.org/group/perl.perl5.changes/2010/11/msg28043.html
- http://perl5.git.perl.org/perl.git/blobdiff/a0b94c2432b1d8c20653453a0f6970cb10f59aec..84601d63a7e34958da47dad1e61e27cb3bd467d1:/cpan/CGI/lib/CGI.pm
- http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467d1
- http://openwall.com/lists/oss-security/2010/12/01/2
- http://openwall.com/lists/oss-security/2010/12/01/3
- https://bugzilla.mozilla.org/show_bug.cgi?id=600464
- http://osvdb.org/69588
- http://osvdb.org/69589
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:237
- http://www.vupen.com/english/advisories/2011/0076
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:250
- http://secunia.com/advisories/42877
- https://bugzilla.mozilla.org/show_bug.cgi?id=591165
- http://www.vupen.com/english/advisories/2011/0207
- http://www.bugzilla.org/security/3.2.9/
- http://secunia.com/advisories/43033
- http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053591.html
- http://secunia.com/advisories/43147
- http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053576.html
- http://www.vupen.com/english/advisories/2011/0249
- http://www.vupen.com/english/advisories/2011/0271
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053678.html
- http://www.vupen.com/english/advisories/2011/0212
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
- http://secunia.com/advisories/43165
- http://secunia.com/advisories/43068
- http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053665.html
- http://www.redhat.com/support/errata/RHSA-2011-1797.html
- http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
Fixed version: >=3.50
Reported: 2010-12-06
Kwalitee Issues
- has_meta_yml
-
Add a META.yml to the distribution. Your buildtool should be able to autogenerate it.
- has_changelog
-
Add a Changelog (best named 'Changes') to the distribution. It should list at least major changes implemented in newer versions.
- has_tests
-
Add tests!
- no_generated_files
-
Remove the offending files/directories!
Error: Makefile
- has_human_readable_license
-
Add a section called "LICENSE" to the documentation, or add a file named LICENSE to the distribution.
- has_license_in_source_file
-
Add =head1 LICENSE and the text of the license to the main module in your code.
- use_strict
-
Add 'use strict' (or its equivalents) to all modules, or convince us that your favorite module is well-known enough and people can easily see the modules are strictly written.
Error: CGI, CGI::Carp
- no_pod_errors
-
Remove the POD errors. You can check for POD errors automatically by including Test::Pod to your test suite.
Error: CGI.pm-2.21/CGI.pm -- Around line 2895: Expected text after =item, not a number Around line 2899: Expected text after =item, not a number Around line 2903: Expected text after =item, not a number Around line 3059: Expected text after =item, not a number Around line 3063: Expected text after =item, not a number Around line 3068: Expected text after =item, not a number Around line 3073: Expected text after =item, not a number Around line 3166: Expected text after =item, not a number Around line 3170: Expected text after =item, not a number Around line 3182: Expected text after =item, not a number Around line 3187: Expected text after =item, not a number Around line 3324: Expected text after =item, not a number Around line 3330: Expected text after =item, not a number Around line 3339: Expected text after =item, not a number Around line 3343: Expected text after =item, not a number Around line 3349: Expected text after =item, not a number Around line 3393: Expected text after =item, not a number Around line 3401: Expected text after =item, not a number Around line 3408: Expected text after =item, not a number Around line 3414: Expected text after =item, not a number Around line 3421: Expected text after =item, not a number Around line 3478: Expected text after =item, not a number Around line 3484: Expected text after =item, not a number Around line 3489: Expected text after =item, not a number Around line 3495: Expected text after =item, not a number Around line 3537: Expected text after =item, not a number Around line 3541: Expected text after =item, not a number Around line 3549: Expected text after =item, not a number Around line 3556: Expected text after =item, not a number Around line 3561: Expected text after =item, not a number Around line 3568: Expected text after =item, not a number Around line 3616: Expected text after =item, not a number Around line 3624: Expected text after =item, not a number Around line 3672: Expected text after =item, not a number Around line 3677: Expected text after =item, not a number Around line 3718: Expected text after =item, not a number Around line 3723: Expected text after =item, not a number Around line 4026: '=item' outside of any '=over' Around line 4103: You forgot a '=back' before '=head1'
- has_meta_json
-
Add a META.json to the distribution. Your buildtool should be able to autogenerate it.
- has_tests_in_t_dir
-
Add tests or move tests.pl to the t/ directory!
- meta_yml_has_license
-
Define the license if you are using in Build.PL. If you are using MakeMaker (Makefile.PL) you should upgrade to ExtUtils::MakeMaker version 6.31.
- has_known_license_in_source_file
-
Add =head1 LICENSE and/or the proper text of the well-known license to the main module in your code.
- use_warnings
-
Add 'use warnings' (or its equivalents) to all modules, or convince us that your favorite module is well-known enough and people can easily see the modules warn when something bad happens.
Error: CGI, CGI::Carp
- consistent_version
-
Split the distribution, or fix the version numbers to make them consistent (use the highest version number to avoid version downgrade).
Error: 1.02,2.21
- has_separate_license_file
-
This is not a critical issue. Currently mainly informative for the CPANTS authors. It might be removed later.