USN-2916-1 Perl vulnerabilities

Medium

Vendor

Ubuntu, Perl

Versions Affected

• Ubuntu 14.04 LTS

Description

Several security issues were fixed in Perl.

It was discovered that Perl incorrectly handled certain regular expressions with an invalid back-reference. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-7422)

Markus Vervier discovered that Perl incorrectly handled nesting in the Data::Dumper module. An attacker could use this issue to cause Perl to consume memory and crash, resulting in a denial of service. (CVE-2014-4330)

Stephane Chazelas discovered that Perl incorrectly handled duplicate environment variables. An attacker could possibly use this issue to bypass the taint protection mechanism. (CVE-2016-2381)

Affected Products and Versions

_Severity is medium unless otherwise noted.
_

• All versions of Cloud Foundry rootfs prior to 1.40.0 AND stemcell 3146.x versions prior to 3146.10 AND all other stemcell versions prior to 3213

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry project recommends that Cloud Foundry deployments upgrade rootfs to version 1.40.0 or later
• The Cloud Foundry project recommends that Cloud Foundry deployments upgrade stemcell versions 3146.x to 3146.10 or later OR all other stemcell versions to 3213 or later

Credit

Markus Vervier, Stephane Chazelas

References

• <http://www.ubuntu.com/usn/usn-2916-1/&gt;
• <http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-7422.html&gt;
• <http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4330.html&gt;
• <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2381.html&gt;