It was reported [1],[2] that the CGI::Application perl module suffered from a flaw where, in certain cases, it would unexpectedly dump a complete set of web query data and server environment information as an error page. This could allow unintended disclosure of sensitive information. A suggested fix is available [3] and the commit that caused the problem [4] was most likely introduced in version 4.19. [1] https://rt.cpan.org/Public/Bug/Display.html?id=84403 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739505 [3] https://github.com/markstos/CGI--Application/pull/15 [4] https://github.com/markstos/CGI--Application/commit/61d327646f01fe
CVE request: http://openwall.com/lists/oss-security/2014/02/19/11
Created perl-CGI-Application tracking bugs for this issue: Affects: fedora-all [bug 1067185] Affects: epel-6 [bug 1067186]
CVE-2013-7329 was assigned to this issue: http://openwall.com/lists/oss-security/2014/02/20/1
perl-CGI-Application-4.50-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
perl-CGI-Application-4.50-7.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
perl-CGI-Application-4.50-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Fixes are present in all supported versions of Fedora and EPEL. Closing. Thanks Emmanuel!