On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote: > On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote: > > On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote: > > > Assuming this is the case, I'm attaching preliminary patches for > > Thanks! > Could you upload the fixes targeted at squeeze to tpu?
I'm happy to take care of libcgi-pm-perl. If the release team agrees (cc'ed) that could be - 3.38-2lenny2 / stable-proposed-updates - 3.49-1squeeze1 / testing-proposed-updates - 3.50-2 / unstable (Alternative: just upload 3.50-2 to unstable and let it migrate to testing.) I'd rather leave perl-modules to Niko. Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by Damyan in our repo (plus tons of unrelated changes that have accumulated since the last upload :/) but (b) also a new upstream release: http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes 1.113 2010-12-27 - (thanks to Yamada Masahiro) randomise multipart boundary string (security). ... Security: Fix handling of embedded malicious newlines in header values This is a direct port of the same security fix that Security: use a random MIME boundary by default in multipart_init(). This is a direct port of the same issue which was addressed in CGI.pm, preventing some kinds of potential header injection attacks. Port from CGI.pm: Fix multi-line header parsing. This fix is covered by the tests in t/header.t added in the previous patch. If you run those tests without this patch, you'll see how the headers would be malformed without this fix. Port CRLF injection prevention from CGI.pm I'm not sure what the best way to proceed is here; mabye Damyan has more ideas since he's already worked on that package? Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe `- NP: Beatles: Helter Skelter
signature.asc
Description: Digital signature