OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src openpkg-web Date: 15-Sep-2003 15:41:20 Branch: OPENPKG_1_3_SOLID HEAD Handle: 2003091514411901 Modified files: openpkg-web news.txt Modified files: (Branch: OPENPKG_1_3_SOLID) openpkg-src/perl perl.patch perl.spec Log: MFC: SA-2003.039-perl; CAN-2003-0615 Summary: Revision Changes Path 1.6.6.1 +29 -0 openpkg-src/perl/perl.patch 1.72.2.2.2.2+1 -1 openpkg-src/perl/perl.spec 1.6567 +1 -0 openpkg-web/news.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.patch ============================================================================ $ cvs diff -u -r1.6 -r1.6.6.1 perl.patch --- openpkg-src/perl/perl.patch 16 Dec 2002 11:25:39 -0000 1.6 +++ openpkg-src/perl/perl.patch 15 Sep 2003 13:41:20 -0000 1.6.6.1 @@ -24,3 +24,32 @@ return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub); } +http://stein.cshl.org/WWW/software/CGI/ + under "Revision History" find "Fixed cross-site scripting bug + reported by obscure" note attached to Version 2.94. A quick fix was + introduced in 2.94. It was replaced by a more careful patch in 2.99. + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 + Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm + allows remote attackers to insert web script via a URL that is fed + into the form's action parameter + +This is a backport of the 2.99 patch for 2.81 which is the version +embedded with perl 5.8.0 + +--- lib/CGI.pm.orig 2003-09-15 14:09:34.000000000 +0200 ++++ lib/CGI.pm 2003-09-15 14:16:26.000000000 +0200 +@@ -1533,8 +1533,11 @@ + $enctype = $enctype || &URL_ENCODED; + unless (defined $action) { + $action = $self->url(-absolute=>1,-path=>1); +- $action .= "?$ENV{QUERY_STRING}" if $ENV{QUERY_STRING}; ++ if (length($ENV{QUERY_STRING})>0) { ++ $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1); ++ } + } ++ $action = escape($action); + $action = qq(action="$action"); + my($other) = @other ? " @other" : ''; + $self->{'.parametersToAdd'}={}; + @@ . patch -p0 <<'@@ .' Index: openpkg-src/perl/perl.spec ============================================================================ $ cvs diff -u -r1.72.2.2.2.1 -r1.72.2.2.2.2 perl.spec --- openpkg-src/perl/perl.spec 29 Jul 2003 15:00:32 -0000 1.72.2.2.2.1 +++ openpkg-src/perl/perl.spec 15 Sep 2003 13:41:20 -0000 1.72.2.2.2.2 @@ -33,7 +33,7 @@ Group: Language License: GPL/Artistic Version: 5.8.0 -Release: 1.3.0 +Release: 1.3.1 # list of sources Source0: ftp://ftp.cpan.org/pub/CPAN/src/perl-%{version}.tar.gz @@ . patch -p0 <<'@@ .' Index: openpkg-web/news.txt ============================================================================ $ cvs diff -u -r1.6566 -r1.6567 news.txt --- openpkg-web/news.txt 15 Sep 2003 13:28:51 -0000 1.6566 +++ openpkg-web/news.txt 15 Sep 2003 13:41:19 -0000 1.6567 @@ -1,3 +1,4 @@ +15-Sep-2003: Upgraded package: P<perl-5.8.0-1.3.1> 15-Sep-2003: Upgraded package: P<perl-5.8.0-20030915> 15-Sep-2003: Upgraded package: P<pine-4.58L-20030915> 15-Sep-2003: New package: P<pine-4.58L-20030915> @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]