Bug#693420: CVE-2012-5526: perl and libcgi-pm-perl: newline injection
Dominic Hargreaves
dom at earth.li
Sun Nov 18 12:31:44 UTC 2012
On Sun, Nov 18, 2012 at 12:08:21PM +0200, Niko Tyni wrote:
> Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm
> newline injection in Set-Cookie and P3P headers) affects all of squeeze,
> wheezy, and sid.
>
> The attached patch should apply to the wheezy and sid versions; squeeze
> may need some backporting at least for the testcases, and the perl package
> needs filename modifications due to the different directory structure.
>
> The sid and wheezy versions of libcgi-pm-perl have diverged, so
> I suppose this needs to go in wheezy via tpu.
As both bugs are important rather than RC, neither a t-p-u upload
for libcgi-pm-perl nor an upload for perl including this would
qualify for migration to testing under the tightened up freeze policy[1],
so CCing debian-release for opinions from their side.
Cheers,
Dominic.
[1] <http://release.debian.org/wheezy/freeze_policy.html>
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list