Hi, On Tue, Jan 12, 2016 at 01:38:51PM +0000, Dominic Hargreaves wrote: > Control: tags -1 - security > Control: found -1 4.46-1 > > On Tue, Jan 12, 2016 at 12:54:19PM +0000, Chris Boot wrote: > > Control: tag -1 security > > > > On 12/01/16 12:28, Chris Boot wrote: > > [snip] > > > Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346 > > > > > > Dear Maintainer, > > > > > > With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our > > > installation of TWiki (http://twiki.org/) no longer functions. This > > > happens due to CGI::Session::Driver::file complaining about taint. > > > > I'm bringing this bug to the attention of the security team, as it has > > only come to light since the Jessie DSA of Perl (DSA-3441-1), so it's a > > stable security regression. > > Indeed, this is unfortunate - confirmed that this is trivially > reproducible. It is misleading to call this a security bug in itself, > so I am removing that tag. > > I am happy to prepare an updated package with the patch in from the RT > ticket, though it would be good to get some second opinions on the > correctness of that patch. I guess that should be released as a DSA > update, given (as you point out) it's a regression indirectly introduced > by the DSA. Another alternative would be the jessie point release, which > for which the freeze date is later this week. > > I'm puzzled about why this wasn't spotted as an issue for wheezy, which > doesn't have the perl taint bug, and does suffer from this problem: we > should fix that there too, probably in the next point release.
My gut feeling about this: Since the issue was already present before, uncovered indirectly by the perl DSA, and currently affects twiki (not packaged in Debian), I would tend to ask the SRM to have the fix for libcgi-session-perl to be scheduled via the next Jessie point release rather than a DSA. Do you feel strong about having it the fix earlier via a DSA? Thanks for bringing that to our attention! Regards, Salvatore
