CVE-2011-3597

Publication date 13 January 2012

Last updated 24 July 2024

Ubuntu priority

Low

Why this priority?

Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor.

Read the notes from the security team

Status

No maintained releases are affected by this CVE.

Package Ubuntu Release Status
libdigest-perl 13.10 saucy
Not affected
13.04 raring
Not affected
12.10 quantal
Not affected
12.04 LTS precise
Not affected
11.10 oneiric Ignored end of life
11.04 natty Ignored end of life
10.10 maverick Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy Ignored end of life
perl 13.10 saucy
Not affected
13.04 raring
Not affected
12.10 quantal
Not affected
12.04 LTS precise
Not affected
11.10 oneiric
Fixed 5.12.4-4ubuntu0.1
11.04 natty Ignored end of life
10.10 maverick Ignored end of life
10.04 LTS lucid
Fixed 5.10.1-8ubuntu2.2
8.04 LTS hardy
Fixed 5.8.8-12ubuntu0.7

Notes

mdeslaur

fixed in digest 1.17

jdstrand

from RedHat bug: “To successfully exploit this vulnerability, the attacker must already be able to execute Perl code or be able to set the algorithm name to be used by the constructor in the form ”$ctx =

Digest-

new(XXX => $arg,...)”, which is very unlikely to happen.”

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
perl

References

Related Ubuntu Security Notices (USN)

    • USN-1643-1
    • Perl vulnerabilities
    • 30 November 2012

Other references