Bug#693421: CVE-2012-5526: perl and libcgi-pm-perl: newline injection
Niko Tyni
ntyni at debian.org
Sun Nov 18 10:08:21 UTC 2012
found 693420 5.10.1-17squeeze3
found 693420 5.14.2-15
found 693421 3.49-1squeeze1
found 693421 3.59+dfsg-1
found 693421 3.61-1
tag 693421 patch fixed-upstream
thanks
Testing with the new testcases in CGI.pm-3.62, CVE-2012-5526 (CGI.pm
newline injection in Set-Cookie and P3P headers) affects all of squeeze,
wheezy, and sid.
The attached patch should apply to the wheezy and sid versions; squeeze
may need some backporting at least for the testcases, and the perl package
needs filename modifications due to the different directory structure.
The sid and wheezy versions of libcgi-pm-perl have diverged, so
I suppose this needs to go in wheezy via tpu.
The perl status in wheezy/sid is waiting for #692294; we'll see
if this needs a separate upload.
Security team: do you want DSAs for stable or should this rather be
fixed via SRM/proposed-updates?
--
Niko Tyni ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch
Type: text/x-diff
Size: 3062 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20121118/30197c4c/attachment-0001.patch>
More information about the pkg-perl-maintainers
mailing list