NS-SA-2024-0092

简介

moderate: perl-HTTP-Tiny/ctags security update

严重级别

moderate

主题

An update for perl-HTTP-Tiny/ctags is now available for NewStart CGSL MAIN 6.06.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

perl-HTTP-Tiny:
ctags:


Security Fix(es):
perl-HTTP-Tiny: A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=>1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server.(CVE-2023-31486)
perl-HTTP-Tiny: bugfix
ctags: A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.(CVE-2022-4515)
ctags: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.06.07B7.

影响组件

• perl-HTTP-Tiny
• ctags

影响产品

• CGSL MAIN 6.06

更新包

CVE

• CVE-2023-31486
• CVE-2022-4515

参考

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-31486
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4515