Description: The security issue is caused due to the CGI::Fast API not properly resetting environment variables, which can be exploited to leak information (e.g. authentication credentials) from the second request into subsequent requests, if the first request had an empty environment. Note: Successful exploitation requires that the deprecated CGI::Fast API is used. The security issue is reported in versions 0.7x prior to 0.74. Solution: Update to version 0.74.
@Maintaner: The fixed version is already in tree, can we go to stabilize it? =dev-perl/FCGI-0.740.0
CVE-2011-2766 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2766): The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by CGI::Fast, uses environment variable values from one request during processing of a later request, which allows remote attackers to bypass authentication via crafted HTTP headers.
@ago, it is is already stable in bug #412999
GLSA vote: no
GLSA vote: no. Closing noglsa.