OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 06-Aug-2003 17:10:11
Branch: OPENPKG_1_2_SOLID HEAD Handle: 2003080616100901
Added files: (Branch: OPENPKG_1_2_SOLID)
openpkg-src/perl-www perl-www.patch
Modified files:
openpkg-web news.txt
Modified files: (Branch: OPENPKG_1_2_SOLID)
openpkg-src/perl-www perl-www.spec
Log:
OpenPKG-SA-2003.036-perl-www; CAN-2003-0615
Summary:
Revision Changes Path
1.1.4.1 +24 -0 openpkg-src/perl-www/perl-www.patch
1.45.2.1.2.3+4 -2 openpkg-src/perl-www/perl-www.spec
1.6058 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/perl-www/perl-www.patch
============================================================================
$ cvs diff -u -r0 -r1.1.4.1 perl-www.patch
--- /dev/null 2003-08-06 17:10:10.000000000 +0200
+++ perl-www.patch 2003-08-06 17:10:11.000000000 +0200
@@ -0,0 +1,24 @@
+http://stein.cshl.org/WWW/software/CGI/
+ under "Revision History" find "Fixed cross-site scripting bug
+ reported by obscure" note attached to Version 2.94. A quick fix was
+ introduced in 2.94. It was replaced by a more careful patch in 2.99.
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
+ Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm
+ allows remote attackers to insert web script via a URL that is fed
+ into the form's action parameter
+
+--- CGI.pm-2.89/CGI.pm.orig Wed Oct 16 19:48:37 2002
++++ CGI.pm-2.89/CGI.pm Wed Aug 6 16:22:26 2003
+@@ -1553,9 +1553,10 @@
+ unless (defined $action) {
+ $action = $self->url(-absolute=>1,-path=>1);
+ if (length($ENV{QUERY_STRING})>0) {
+- $action .= "?$ENV{QUERY_STRING}";
++ $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
+ }
+ }
++ $action = escape($action);
+ $action = qq(action="$action");
+ my($other) = @other ? " @other" : '';
+ $self->{'.parametersToAdd'}={};
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/perl-www/perl-www.spec
============================================================================
$ cvs diff -u -r1.45.2.1.2.2 -r1.45.2.1.2.3 perl-www.spec
--- openpkg-src/perl-www/perl-www.spec 18 Jan 2003 18:38:30 -0000
1.45.2.1.2.2
+++ openpkg-src/perl-www/perl-www.spec 6 Aug 2003 15:10:10 -0000
1.45.2.1.2.3
@@ -44,8 +44,8 @@
Distribution: OpenPKG [BASE]
Group: Language
License: GPL/Artistic
-Version: 1.2.0
-Release: 1.2.0
+Version: 1.2.1
+Release: 1.2.1
# list of sources
Source0: http://www.cpan.org/modules/by-module/URI/URI-%{V_uri}.tar.gz
@@ -58,6 +58,7 @@
Source7:
http://www.cpan.org/modules/by-module/CGI/CGI-Safe-%{V_cgi_safe}.tar.gz
Source8:
http://www.cpan.org/modules/by-module/CGI/CGI-Session-%{V_cgi_session}.tar.gz
Source9: http://www.cpan.org/modules/by-module/FCGI/FCGI-%{V_fcgi}.tar.gz
+Patch0: perl-www.patch
# build information
Prefix: %{l_prefix}
@@ -91,6 +92,7 @@
%setup7 -q -T -D -a 7
%setup8 -q -T -D -a 8
%setup9 -q -T -D -a 9
+ %patch0 -p0
%build
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.6057 -r1.6058 news.txt
--- openpkg-web/news.txt 6 Aug 2003 15:07:12 -0000 1.6057
+++ openpkg-web/news.txt 6 Aug 2003 15:10:09 -0000 1.6058
@@ -1,3 +1,4 @@
+06-Aug-2003: Upgraded package: P<perl-www-1.2.1-1.2.1>
06-Aug-2003: Upgraded package: P<perl-www-1.3.1-1.3.1>
06-Aug-2003: Upgraded package: P<proftpd-1.2.9rc1-20030806>
06-Aug-2003: Upgraded package: P<xaw3d-1.5-20030806>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
