Bug 2105085 (CVE-2022-31081)
Summary: | CVE-2022-31081 perl-HTTP-Daemon: HTTP::Daemon allows request smuggling | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sage McTaggart <amctagga> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | hhorak, jorton, mspacek, perl-devel, perl-maint-list, ppisar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | HTTP-Daemon 6.15 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2119270, 2119271, 2119272, 2119273, 2119274, 2173127 | ||
Bug Blocks: | 2105086 |
Description
Sage McTaggart
2022-07-07 20:52:22 UTC
The description is about a completely different bug in an unrelated software. The HTTP-Deamon bug is reported to upstream at <https://github.com/libwww-perl/HTTP-Daemon/issues/56>. I think CVE-2022-31081 <https://nvd.nist.gov/vuln/detail/CVE-2022-31081> is for HTTP-Deamon. CVE-2022-31082 <https://nvd.nist.gov/vuln/detail/CVE-2022-31082> is for the unrelated GLPI. @amctagga Could you please rename this ticket to mention CVE-2022-31081 only? For issue with perl-HTTP-Daemon. In reply to comment #3: > @amctagga Could you please rename this ticket to mention > CVE-2022-31081 only? For issue with perl-HTTP-Daemon. Made the edit, both were in the same initial report so this was filed together. Hope that helps! Upstream commits supposedly fixing this vulnerability: e84475de51d6fd7b29354a997413472a99db70b2 Fix Content-Length ', '-separated string issues 8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0 Include reason in response body content faebad54455c2c2919e234202362570925fb99d1 Add new test for Content-Length issues ef8c1265c9558e92bac3178a0ed42eb937d943c6 Remove 'trailing spaces' to satisfy some authors c10445d014584546f99f85d240000b4a140ec37a (HEAD -> master, origin/master, origin/HEAD) Add CVE-2022-31081 fix to the Revision History https://ubuntu.com/security/notices/USN-5520-1 The issue is fixed upstream in 6.15: https://github.com/libwww-perl/HTTP-Daemon/security/advisories/GHSA-cg8c-pxmv-w7cf Created perl-HTTP-Daemon tracking bugs for this issue: Affects: fedora-all [bug 2119270] Upstream has not released a new version of distribution with fixes, because there are some failing tests related to the issue. Fix was delivered by upstream version of HTTP::Daemon 6.15 |