Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass
Dominic Hargreaves
dom at earth.li
Wed Oct 12 09:30:51 UTC 2011
On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:
> -=| Dominic Hargreaves, 11.10.2011 14:33:42 +0100 |=-
> > On Sat, Oct 01, 2011 at 12:44:33PM +0200, Moritz Mühlenhoff wrote:
> > > Did update this receive testing?
>
> The changes look sane "in theory". They address all mentions of
> FCGI::ENV in the source.
>
> The RT testing by Dominic seems sufficient additional assurance to me.
Russ, I guess you've been involved in fixing this locally; are you able
to make any comments on the soundness of the patch at
<http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=blob;f=debian/patches/cve-2011-2766.patch;h=62ca4ac0aff279faba37ce2168fccd248e5c45a6;hb=48b6294e73f73323310250fde667b2a2b7032df2> ?
Cheers,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the pkg-perl-maintainers
mailing list