Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411

Julien Cristau jcristau at debian.org
Tue Jan 4 19:40:20 UTC 2011


On Tue, Jan  4, 2011 at 19:45:56 +0100, gregor herrmann wrote:

> On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote:
> 
> > On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote:
> > > On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote:
> > > > Assuming this is the case, I'm attaching preliminary patches for
> > > Thanks!
> > Could you upload the fixes targeted at squeeze to tpu?
> 
> I'm happy to take care of libcgi-pm-perl.
> 
> If the release team agrees (cc'ed) that could be

debian-release at lists works better than debian-release at bugs.  Fixed.

> - 3.38-2lenny2 / stable-proposed-updates
> - 3.49-1squeeze1 / testing-proposed-updates
> - 3.50-2 / unstable
> 
> (Alternative: just upload 3.50-2 to unstable and let it migrate to
> testing.)
> 
> 
> I'd rather leave perl-modules to Niko.
> 
> 
> Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by
> Damyan in our repo (plus tons of unrelated changes that have
> accumulated since the last upload :/) but (b) also a new upstream
> release:
> 
> http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes
> 
> 1.113   2010-12-27
>       - (thanks to Yamada Masahiro) randomise multipart boundary string
>         (security).
> ...
>         Security: Fix handling of embedded malicious newlines in header
>           values This is a direct port of the same security fix that
> 
>         Security: use a random MIME boundary by default in
>           multipart_init(). This is a direct port of the same issue
>           which was addressed in CGI.pm, preventing some kinds of
>           potential header injection attacks.
> 
>         Port from CGI.pm: Fix multi-line header parsing.
>           This fix is covered by the tests in t/header.t added in
>           the previous patch. If you run those tests without this
>           patch, you'll see how the headers would be malformed
>           without this fix.
> 
>         Port CRLF injection prevention from CGI.pm
> 
> I'm not sure what the best way to proceed is here; mabye Damyan has
> more ideas since he's already worked on that package?
> 
> 
Cheers,
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20110104/705bdd18/attachment.pgp>


More information about the Perl-maintainers mailing list