OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src openpkg-web Date: 06-Aug-2003 17:07:14 Branch: OPENPKG_1_3_SOLID HEAD Handle: 2003080616071202 Modified files: openpkg-web news.txt Modified files: (Branch: OPENPKG_1_3_SOLID) openpkg-src/perl-www perl-www.patch perl-www.spec Log: OpenPKG-SA-2003.036-perl-www; CAN-2003-0615 Summary: Revision Changes Path 1.1.2.1.2.1 +26 -0 openpkg-src/perl-www/perl-www.patch 1.45.2.5.2.2+2 -2 openpkg-src/perl-www/perl-www.spec 1.6057 +1 -0 openpkg-web/news.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/perl-www/perl-www.patch ============================================================================ $ cvs diff -u -r1.1.2.1 -r1.1.2.1.2.1 perl-www.patch --- openpkg-src/perl-www/perl-www.patch 24 Jul 2003 20:44:56 -0000 1.1.2.1 +++ openpkg-src/perl-www/perl-www.patch 6 Aug 2003 15:07:14 -0000 1.1.2.1.2.1 @@ -1,3 +1,29 @@ +http://stein.cshl.org/WWW/software/CGI/ + under "Revision History" find "Fixed cross-site scripting bug + reported by obscure" note attached to Version 2.94. A quick fix was + introduced in 2.94. It was replaced by a more careful patch in 2.99. + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 + Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm + allows remote attackers to insert web script via a URL that is fed + into the form's action parameter + +--- CGI.pm-2.98/CGI.pm.orig Wed Jun 18 21:57:21 2003 ++++ CGI.pm-2.98/CGI.pm Fri Aug 1 16:39:52 2003 +@@ -1641,10 +1641,10 @@ + unless (defined $action) { + $action = $self->url(-absolute=>1,-path=>1); + if (length($ENV{QUERY_STRING})>0) { +- $action .= "?$ENV{QUERY_STRING}"; ++ $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1); + } + } +- $action =~ s/\"/%22/g; # fix cross-site scripting bug reported by obscure ++ $action = escape($action); + $action = qq(action="$action"); + my($other) = @other ? " @other" : ''; + $self->{'.parametersToAdd'}={}; + --- libwww-perl-5.69/lib/LWP/Protocol/ftp.pm.orig Fri Oct 26 22:13:20 2001 +++ libwww-perl-5.69/lib/LWP/Protocol/ftp.pm Mon May 26 11:09:01 2003 @@ -323,7 +323,13 @@ @@ . patch -p0 <<'@@ .' Index: openpkg-src/perl-www/perl-www.spec ============================================================================ $ cvs diff -u -r1.45.2.5.2.1 -r1.45.2.5.2.2 perl-www.spec --- openpkg-src/perl-www/perl-www.spec 29 Jul 2003 15:00:50 -0000 1.45.2.5.2.1 +++ openpkg-src/perl-www/perl-www.spec 6 Aug 2003 15:07:14 -0000 1.45.2.5.2.2 @@ -48,8 +48,8 @@ Distribution: OpenPKG [BASE] Group: Language License: GPL/Artistic -Version: 1.3.0 -Release: 1.3.0 +Version: 1.3.1 +Release: 1.3.1 # list of sources Source0: http://www.cpan.org/modules/by-module/URI/URI-%{V_uri}.tar.gz @@ . patch -p0 <<'@@ .' Index: openpkg-web/news.txt ============================================================================ $ cvs diff -u -r1.6056 -r1.6057 news.txt --- openpkg-web/news.txt 6 Aug 2003 14:57:08 -0000 1.6056 +++ openpkg-web/news.txt 6 Aug 2003 15:07:12 -0000 1.6057 @@ -1,3 +1,4 @@ +06-Aug-2003: Upgraded package: P<perl-www-1.3.1-1.3.1> 06-Aug-2003: Upgraded package: P<proftpd-1.2.9rc1-20030806> 06-Aug-2003: Upgraded package: P<xaw3d-1.5-20030806> 06-Aug-2003: Upgraded package: P<openssh-3.5p1-1.2.2> @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]