FreeBSD Ports: P5-libwww Network Vulnerability

Summary

The remote host is missing an update to the system as announced in the referenced advisory.

Solution

Update your system with the appropriate patches or software upgrades. http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes http://www.vuxml.org/freebsd/3a7c5fc4-b50c-11df-977b-ecc31dd8ad06.html

Insight

The following package is affected: p5-libwww CVE-2010-2253 lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

Severity

Classification

CVE CVE-2010-2253
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

FreeBSD Ports: apache
FreeBSD Ports: bzip2
FreeBSD Ports: bacula
FreeBSD Ports: asterisk18
FreeBSD Ports: apache-tomcat

FreeBSD Ports: p5-libwww

Take action and discover your vulnerabilities