Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Moritz Muehlenhoff
jmm at inutil.org
Wed Dec 8 19:53:28 UTC 2010
On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote:
> clone 606370 -1
> found 606370 3.38-2lenny1
> reassign -1 libcgi-simple-perl 1.105-1
> thanks
>
> Moritz Muehlenhoff <jmm at debian.org> writes:
> > Three security issues have been reported in libcgi-pm-perl:
> >
> > http://security-tracker.debian.org/tracker/CVE-2010-2761
> > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > http://security-tracker.debian.org/tracker/CVE-2010-4411
> >
> > The first two issues are fixed in 3.50 (already in sid), but
> > the second is still pending a final fix (see the referenced
> > link). Please get in touch with the release team to check,
> > whether migrating 3.50 plus the fix for CVE-2010-4411 or
> > uploading a tpu fix with 3.49 plus the security fixes is the
> > best way to resolve this.
>
> In addition to Lenny's version of libcgi-pm-perl, the same issues also
> affect libcgi-simple-perl, including the version currently in unstable
> (1.111-1).
>
> I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the
> fix for CVE-2010-2761 was not complete, but it is not a different, new
> issue?
>
> We should probably wait until the issue is really fixed:
>
> | > 2. Further improvements to handling of newlines embedded in header
> | > values.
> [...]
> | Yes, it is. However, later testing found that the issue wasn't
> | completely fixed in 3.50. A new patch has been developed, and is
> | currently pending review and acceptance by the primary CGI.pm author,
> | Lincoln Stein. (Now CC'ed).
> -- <http://openwall.com/lists/oss-security/2010/12/01/3>
[ I'm adding Lincoln to CC. ]
Lincoln,
were're trying to fix CVE-2010-4411 for the upcoming Debian release.
Is a final patch already available?
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list