Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass
Damyan Ivanov
dmn at debian.org
Wed Oct 12 09:03:50 UTC 2011
-=| Dominic Hargreaves, 11.10.2011 14:33:42 +0100 |=-
> On Sat, Oct 01, 2011 at 12:44:33PM +0200, Moritz Mühlenhoff wrote:
> > Did update this receive testing?
The changes look sane "in theory". They address all mentions of
FCGI::ENV in the source.
The RT testing by Dominic seems sufficient additional assurance to me.
> > distribution needs to point to stable-security, not unstable. And
> > while you're at it, please modify 0.71-1+squeeze.1 to 0.71-1+squeeze1
> > for consistency.
Right. Thanks!
> Hello Damyan, are you planning to do this or do you need someone
> else to take over? IMO this one warrants a DSA.
Thanks for the nudge. I have pushed the squeeze branch of
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=summary
with the changes so others can take over for the actual uploading if I am away.
The squeeze version still has Vcs-Svn in its control file. Would it be
acceptable to change that too?
Current changelog:
libfcgi-perl (0.71-1+squeezei1) stable-security; urgency=high
* Add patch from upstream bug tracker fixing CVE-2011-2766
Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
analysis and chansen for the patch.
-- Damyan Ivanov <dmn at debian.org> Wed, 12 Oct 2011 11:50:21 +0300
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111012/bbc9559e/attachment.pgp>
More information about the pkg-perl-maintainers
mailing list