Hi, I'm CGI-Application's maintainer in Fedora. > I agree that the behavior when a runmode is not defined is surprising and > a bug, but I think treating it as a full-blown security vulnerability in > CGI::Application (as opposed to the calling application) may be overkill. > That said, it looks like Fedora did treat it as a security update.
Yup. I decided to err on the side of caution. Like you, I tend to think this is overkill but you never know what an application's ENV contains and I can see CGI-Application's behaviour coming as a surprise. > The patch in the Github pull request does look correct (although it's an > irritating patch from a security perspective since it includes apparently > arbitrary code reformatting). Indeed. I took the liberty of taking only the parts of the patch that were important and leaving the code reformatting pieces behind. As a result, the patch Fedora ships is less intrusive than the one submitted upstream. You can get a copy of the patch by running the command: git clone git://pkgs.fedoraproject.org/perl-CGI-Application Emmanuel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
