On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote: > clone 606370 -1 > found 606370 3.38-2lenny1 > reassign -1 libcgi-simple-perl 1.105-1 > thanks > > Moritz Muehlenhoff <j...@debian.org> writes: > > Three security issues have been reported in libcgi-pm-perl: > > > > http://security-tracker.debian.org/tracker/CVE-2010-2761 > > http://security-tracker.debian.org/tracker/CVE-2010-4410 > > http://security-tracker.debian.org/tracker/CVE-2010-4411 > > > > The first two issues are fixed in 3.50 (already in sid), but > > the second is still pending a final fix (see the referenced > > link). Please get in touch with the release team to check, > > whether migrating 3.50 plus the fix for CVE-2010-4411 or > > uploading a tpu fix with 3.49 plus the security fixes is the > > best way to resolve this. > > In addition to Lenny's version of libcgi-pm-perl, the same issues also > affect libcgi-simple-perl, including the version currently in unstable > (1.111-1). > > I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the > fix for CVE-2010-2761 was not complete, but it is not a different, new > issue? > > We should probably wait until the issue is really fixed: > > | > 2. Further improvements to handling of newlines embedded in header > | > values. > [...] > | Yes, it is. However, later testing found that the issue wasn't > | completely fixed in 3.50. A new patch has been developed, and is > | currently pending review and acceptance by the primary CGI.pm author, > | Lincoln Stein. (Now CC'ed). > -- <http://openwall.com/lists/oss-security/2010/12/01/3>
[ I'm adding Lincoln to CC. ] Lincoln, were're trying to fix CVE-2010-4411 for the upcoming Debian release. Is a final patch already available? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org