On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote: > On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote: > > Moritz Muehlenhoff <j...@debian.org> writes: > > > Three security issues have been reported in libcgi-pm-perl: > > > > > > http://security-tracker.debian.org/tracker/CVE-2010-2761 > > > http://security-tracker.debian.org/tracker/CVE-2010-4410 > > > http://security-tracker.debian.org/tracker/CVE-2010-4411
> > I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the > > fix for CVE-2010-2761 was not complete, but it is not a different, new > > issue? > > > > We should probably wait until the issue is really fixed: > > > > | > 2. Further improvements to handling of newlines embedded in header > > | > values. > > [...] > > | Yes, it is. However, later testing found that the issue wasn't > > | completely fixed in 3.50. A new patch has been developed, and is > > | currently pending review and acceptance by the primary CGI.pm author, > > | Lincoln Stein. (Now CC'ed). > > -- <http://openwall.com/lists/oss-security/2010/12/01/3> > > [ I'm adding Lincoln to CC. ] > > Lincoln, > were're trying to fix CVE-2010-4411 for the upcoming Debian release. > > Is a final patch already available? I see Mark Stosberg (CC'd as well) recently pushed this into the CGI.pm github repository: https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d Mark, is this double newline injection fix the new patch referred above? Thanks for your work, -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org