Your message dated Thu, 13 Jan 2011 21:20:44 +0000
with message-id <e1pdub6-0007we...@franck.debian.org>
and subject line Bug#606370: fixed in libcgi-pm-perl 3.51-1
has caused the Debian Bug report #606370,
regarding CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
606370: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606370
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libcgi-pm-perl
Version: 3.49-1
Severity: grave
Tags: security
Three security issues have been reported in libcgi-pm-perl:
http://security-tracker.debian.org/tracker/CVE-2010-2761
http://security-tracker.debian.org/tracker/CVE-2010-4410
http://security-tracker.debian.org/tracker/CVE-2010-4411
The first two issues are fixed in 3.50 (already in sid), but
the second is still pending a final fix (see the referenced
link). Please get in touch with the release team to check,
whether migrating 3.50 plus the fix for CVE-2010-4411 or
uploading a tpu fix with 3.49 plus the security fixes is the
best way to resolve this.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: libcgi-pm-perl
Source-Version: 3.51-1
We believe that the bug you reported is fixed in the latest version of
libcgi-pm-perl, which is due to be installed in the Debian FTP archive:
libcgi-pm-perl_3.51-1.debian.tar.gz
to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.51-1.debian.tar.gz
libcgi-pm-perl_3.51-1.dsc
to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.51-1.dsc
libcgi-pm-perl_3.51-1_all.deb
to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.51-1_all.deb
libcgi-pm-perl_3.51.orig.tar.gz
to main/libc/libcgi-pm-perl/libcgi-pm-perl_3.51.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 606...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gre...@debian.org> (supplier of updated libcgi-pm-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 13 Jan 2011 22:10:07 +0100
Source: libcgi-pm-perl
Binary: libcgi-pm-perl
Architecture: source all
Version: 3.51-1
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: gregor herrmann <gre...@debian.org>
Description:
libcgi-pm-perl - module for Common Gateway Interface applications
Closes: 367711 606370
Changes:
libcgi-pm-perl (3.51-1) unstable; urgency=low
.
[ Niko Tyni ]
* New upstream release.
+ [SECURITY] CVE-2010-4411: fixes a double CR/LF injection vulnerability,
the last missing bit for the CVE-2010-2761 + CVE-2010-4410 issues
that were fixed in 3.50. (Closes: #606370)
+ fixes writeability checks of the temporary directory for file uploads,
and documents supported ways to override the builtin directories.
(Closes: #367711)
* debian/patches/fix-pod-spelling.patch: removed, included upstream
.
[ gregor herrmann ]
* debian/watch: add URL for the unoffical 3.51 release in order to make it
uscan-able.
* debian/copyright: update list for debian/* and update formatting.
* Add patch spelling.patch to fix a spelling mistake in various files.
Checksums-Sha1:
f118ec97c19cbc8ba4f5931bc06ccc01dc30fa9b 2144 libcgi-pm-perl_3.51-1.dsc
55533953d944b5b7f4eafd04b9cbf541752c41ad 242127 libcgi-pm-perl_3.51.orig.tar.gz
332bc32c0d69f0a25eb25ab593372a5a7df48a8f 8476
libcgi-pm-perl_3.51-1.debian.tar.gz
8652621e2e24545848edf21f5c6d19f0167eec58 232522 libcgi-pm-perl_3.51-1_all.deb
Checksums-Sha256:
5ff3cc9608625bab57833eeea04c1851a98fa422d953dedb092660c606b0743e 2144
libcgi-pm-perl_3.51-1.dsc
2c6082e48c3eb231ae175b738957f373fa5e5aa0dbd6f1b014de2d3a0b9620ee 242127
libcgi-pm-perl_3.51.orig.tar.gz
2cc237a94f31560fbd096bfbc47db919da6055d864c09bd063d8f2026e586fb3 8476
libcgi-pm-perl_3.51-1.debian.tar.gz
7ec34ff34a82cde35b1f0979ad76f8c692580e14a46ac152c1306d3c08fe07aa 232522
libcgi-pm-perl_3.51-1_all.deb
Files:
5f9eaf742014d60d2d57d4ea0b641328 2144 perl optional libcgi-pm-perl_3.51-1.dsc
53534654f745a1388bbda477022cf971 242127 perl optional
libcgi-pm-perl_3.51.orig.tar.gz
4544dfc48cec72e09d985c85675266c5 8476 perl optional
libcgi-pm-perl_3.51-1.debian.tar.gz
6b93f25eb088283ec67949090846627c 232522 perl optional
libcgi-pm-perl_3.51-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJNL2prAAoJELs6aAGGSaoGUFcP/0H2ODNAKlZaMHBkLZwSnuta
C9yJiVyWlbpdjzw2AA0XXViuTtnFpTTMC2LYVwYvXATRxZ+IICwm4H5omPA+io7d
adPDAWCRXV/MiZcxh6LviXLbyqIbOsn9VrAoSV/6jwLUi08Kxb2j/1bx7RfDxckn
frjuN1vF/vgMdMMNdZO15qKycG5emHvxmdoHvtvg5qp+ADMrGCSwWuGmZ4c0nvti
edSguTdm49zRkAKfCNc5S0+gxGvTWNSEQvPzVdTj1vCamGM1KhlL5SITOY2vzRrw
l2fO43chS/fsjY8zM9W8l/JmAlLO0FDkcwfJmdmTnXIUBg5RpiJz89NnyapwoY6V
rqIg9GcZDjUFuajkhMvZ2gsXbQ3c+K0+sRzt/7kwB9GRDtjIFPZ8m584HDHI5+B8
tLCrMtDFHhP7HRrAYFTMpZvxDgcB0iTGQiNOBKp2eH98NMWHLvZ7vz5L8eBkIkYk
wBPPxUP324P/swlev95Jw9xeX6muqjiRQMCUi9xCcASypihRwzzLHZcyCuPDTwgS
jt3m8DNUHoHwxpcWzmusyIER3uJbQlgFp1pKQu5uORaXN5eSM+c19XgAmA+6u+pa
gPf3kyWTYWO32FPxTJx3rapNej65w6E5No0JG4AIiN50ABuSjnPUIFUfTnrpBnO9
ecoHTvAnbeRAnjPcZs2A
=1NXo
-----END PGP SIGNATURE-----
--- End Message ---
