Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Damyan Ivanov dmn at debian.org
Wed Oct 12 09:03:50 UTC 2011


-=| Dominic Hargreaves, 11.10.2011 14:33:42 +0100 |=-
> On Sat, Oct 01, 2011 at 12:44:33PM +0200, Moritz Mühlenhoff wrote:
> > Did update this receive testing?

The changes look sane "in theory". They address all mentions of 
FCGI::ENV in the source.

The RT testing by Dominic seems sufficient additional assurance to me.

> > distribution needs to point to stable-security, not unstable. And
> > while you're at it, please modify 0.71-1+squeeze.1 to 0.71-1+squeeze1
> > for consistency.

Right. Thanks!

> Hello Damyan, are you planning to do this or do you need someone 
> else to take over? IMO this one warrants a DSA.

Thanks for the nudge. I have pushed the squeeze branch of 
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=summary
with the changes so others can take over for the actual uploading if I am away.

The squeeze version still has Vcs-Svn in its control file. Would it be 
acceptable to change that too?

Current changelog:

libfcgi-perl (0.71-1+squeezei1) stable-security; urgency=high

  * Add patch from upstream bug tracker fixing CVE-2011-2766
    Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
    analysis and chansen for the patch.

 -- Damyan Ivanov <dmn at debian.org>  Wed, 12 Oct 2011 11:50:21 +0300

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111012/bbc9559e/attachment.pgp>


More information about the pkg-perl-maintainers mailing list