Bug#606379: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
gregor herrmann
gregoa at debian.org
Tue Jan 4 18:45:56 UTC 2011
On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote:
> On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote:
> > On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote:
> > > Assuming this is the case, I'm attaching preliminary patches for
> > Thanks!
> Could you upload the fixes targeted at squeeze to tpu?
I'm happy to take care of libcgi-pm-perl.
If the release team agrees (cc'ed) that could be
- 3.38-2lenny2 / stable-proposed-updates
- 3.49-1squeeze1 / testing-proposed-updates
- 3.50-2 / unstable
(Alternative: just upload 3.50-2 to unstable and let it migrate to
testing.)
I'd rather leave perl-modules to Niko.
Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by
Damyan in our repo (plus tons of unrelated changes that have
accumulated since the last upload :/) but (b) also a new upstream
release:
http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes
1.113 2010-12-27
- (thanks to Yamada Masahiro) randomise multipart boundary string
(security).
...
Security: Fix handling of embedded malicious newlines in header
values This is a direct port of the same security fix that
Security: use a random MIME boundary by default in
multipart_init(). This is a direct port of the same issue
which was addressed in CGI.pm, preventing some kinds of
potential header injection attacks.
Port from CGI.pm: Fix multi-line header parsing.
This fix is covered by the tests in t/header.t added in
the previous patch. If you run those tests without this
patch, you'll see how the headers would be malformed
without this fix.
Port CRLF injection prevention from CGI.pm
I'm not sure what the best way to proceed is here; mabye Damyan has
more ideas since he's already worked on that package?
Cheers,
gregor
--
.''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
: :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/
`. `' Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
`- NP: Beatles: Helter Skelter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20110104/d43985dc/attachment-0001.pgp>
More information about the pkg-perl-maintainers
mailing list