Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Niko Tyni
ntyni at debian.org
Fri Jan 7 12:48:28 UTC 2011
On Thu, Jan 06, 2011 at 10:37:11PM +0200, Niko Tyni wrote:
> On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:
>
> > Assuming this is the case, I'm attaching preliminary patches for
> >
> > 3.29 (perl-modules / lenny)
> > 3.38 (libcgi-pm-perl / lenny)
> > 3.43 (perl-modules / squeeze + sid)
> > 3.49 (libcgi-pm-perl / squeeze)
> > 3.50 (libcgi-pm-perl / sid)
> All this means I need another test session when I'm feeling less tired,
> so no perl upload tonight.
Done, just uploaded perl/5.10.1-17 with the attached patch.
Changes:
perl (5.10.1-17) unstable; urgency=medium
.
* [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
fix CGI.pm MIME boundary and multiline header vulnerabilities.
(Closes: #606995)
Release team: please consider
unblock perl/5.10.1-17
The patch applies to lenny (5.10.0-19lenny2) as well with some fuzz after
s/rearrange_header/rearrange/.
Moritz: shall I upload a fixed lenny package to stable-security?
FWIW, I'd prefer to wait the five days for squeeze migration before a
DSA in case we get any regression reports.
--
Niko Tyni ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgi-multiline-header.diff
Type: text/x-diff
Size: 5846 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20110107/14c1bae1/attachment-0001.diff>
More information about the Perl-maintainers
mailing list