Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Niko Tyni
ntyni at debian.org
Mon Dec 27 13:33:21 UTC 2010
On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote:
> On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote:
> > Moritz Muehlenhoff <jmm at debian.org> writes:
> > > Three security issues have been reported in libcgi-pm-perl:
> > >
> > > http://security-tracker.debian.org/tracker/CVE-2010-2761
> > > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > > http://security-tracker.debian.org/tracker/CVE-2010-4411
> > I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the
> > fix for CVE-2010-2761 was not complete, but it is not a different, new
> > issue?
> >
> > We should probably wait until the issue is really fixed:
> >
> > | > 2. Further improvements to handling of newlines embedded in header
> > | > values.
> > [...]
> > | Yes, it is. However, later testing found that the issue wasn't
> > | completely fixed in 3.50. A new patch has been developed, and is
> > | currently pending review and acceptance by the primary CGI.pm author,
> > | Lincoln Stein. (Now CC'ed).
> > -- <http://openwall.com/lists/oss-security/2010/12/01/3>
>
> [ I'm adding Lincoln to CC. ]
>
> Lincoln,
> were're trying to fix CVE-2010-4411 for the upcoming Debian release.
>
> Is a final patch already available?
I see Mark Stosberg (CC'd as well) recently pushed this into the
CGI.pm github repository:
https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d
Mark, is this double newline injection fix the new patch referred above?
Thanks for your work,
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list