Debian Security Advisory

DSA-2586-1 perl -- several vulnerabilities

Date Reported:
11 Dec 2012
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 689314, Bug 693420, Bug 695223.
In Mitre's CVE dictionary: CVE-2012-5195, CVE-2012-5526.
More information:

Two vulnerabilities were discovered in the implementation of the Perl programming language:

  • CVE-2012-5195

    The x operator could cause the Perl interpreter to crash if very long strings were created.

  • CVE-2012-5526

    The CGI module does not properly escape LF characters in the Set-Cookie and P3P headers.

In addition, this update adds a warning to the Storable documentation that this package is not suitable for deserializing untrusted data.

For the stable distribution (squeeze), these problems have been fixed in version 5.10.1-17squeeze4.

For the unstable distribution (sid), these problems have been fixed in version 5.14.2-16.

We recommend that you upgrade your perl packages.