Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file

Chris Boot crb at tiger-computing.co.uk
Tue Jan 12 17:37:39 UTC 2016


On 12/01/16 15:27, Salvatore Bonaccorso wrote:
> My gut feeling about this: Since the issue was already present before,
> uncovered indirectly by the perl DSA, and currently affects twiki (not
> packaged in Debian), I would tend to ask the SRM to have the fix for
> libcgi-session-perl to be scheduled via the next Jessie point release
> rather than a DSA.
> 
> Do you feel strong about having it the fix earlier via a DSA?

I don't feel particularly strongly about it being fixed by a DSA as we
have a workaround (though the patch I included previously is incorrect
and broken; the patch in RT appears to work).

That being said, ikiwiki (packaged) appears to use CGI::Session so I
would be surprised if it was not affected, assuming it uses the same
session storage driver.

HTH,
Chris

-- 
Chris Boot

Tiger Computing Ltd
IS27001:2013 Certified

Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk

Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
 Wyastone Leys, Monmouth, NP25 3SR



More information about the pkg-perl-maintainers mailing list