Bug#644147: pu: package libdigest-perl/1.16-1+squeeze1
Ansgar Burchardt
ansgar at debian.org
Mon Oct 3 10:29:56 UTC 2011
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: pu
Hi,
the last upstream release of libdigest-perl (1.17) contains a fix for an
unsafe use of eval[1]: the argument to Digest->new($algo) was not
checked properly allowing code injection (in case the value can be
changed by the attacker). Versions in both lenny and squeeze are
affected.
The security team does not plan to release a DSA, the issue should be
fixed via proposed-updates instead.
I prepared updates for both lenny and squeeze (attached).
Regards,
Ansgar
[1] <https://github.com/gisle/digest/commit/33800e83550bcad19c4fc593874ec3497841fa1e>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libdigest-perl_lenny.diff
Type: text/x-diff
Size: 1448 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111003/56470fea/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libdigest-perl_squeeze.diff
Type: text/x-diff
Size: 1424 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111003/56470fea/attachment-0001.diff>
More information about the pkg-perl-maintainers
mailing list