Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Moritz Muehlenhoff
jmm at inutil.org
Fri Jan 7 17:45:06 UTC 2011
On Fri, Jan 07, 2011 at 02:48:28PM +0200, Niko Tyni wrote:
> On Thu, Jan 06, 2011 at 10:37:11PM +0200, Niko Tyni wrote:
> > On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:
> >
> > > Assuming this is the case, I'm attaching preliminary patches for
> > >
> > > 3.29 (perl-modules / lenny)
> > > 3.38 (libcgi-pm-perl / lenny)
> > > 3.43 (perl-modules / squeeze + sid)
> > > 3.49 (libcgi-pm-perl / squeeze)
> > > 3.50 (libcgi-pm-perl / sid)
>
> > All this means I need another test session when I'm feeling less tired,
> > so no perl upload tonight.
>
> Done, just uploaded perl/5.10.1-17 with the attached patch.
>
> Changes:
> perl (5.10.1-17) unstable; urgency=medium
> .
> * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
> fix CGI.pm MIME boundary and multiline header vulnerabilities.
> (Closes: #606995)
>
> Release team: please consider
>
> unblock perl/5.10.1-17
>
> The patch applies to lenny (5.10.0-19lenny2) as well with some fuzz after
> s/rearrange_header/rearrange/.
>
> Moritz: shall I upload a fixed lenny package to stable-security?
> FWIW, I'd prefer to wait the five days for squeeze migration before a
> DSA in case we get any regression reports.
Let's wait a bit, it's not urgent.
Cheers,
Moritz
More information about the Perl-maintainers
mailing list