On Mon, May 09, 2011 at 07:44:21AM +0200, Salvatore Bonaccorso wrote: > Package: libmojolicious-perl > Version: 0.999926-1+squeeze1 > Severity: grave > Tags: squeeze security > Justification: user security hole > > Hi > > libmojolicious-perl prior to 1.12 seems vulnerable to a cross-site > scripting vulnerability. > > The CVE for this issue is CVE-2011-1841 [1]. > > [1] http://security-tracker.debian.org/tracker/CVE-2011-1841 > > Debian wheezy and unstable already have 1.21-1. Debian squeeze has > 0.999926-1+squeeze1, which according to [2] is vulnerable. > > [2] http://www.securityfocus.com/bid/47713/info > > Changelog for 1.12 contains: > > - Fixed XSS issue in link_to helper. > > This seems to be fixed in upstream git commit > f6801ef7be8c78092e38f870b19fae3da0899d60 (but needs a check if we can > apply it to version in squeeze).
There's also CVE-2010-4803 and CVE-2010-4802, which have been assigned to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622952#31 IIRC we postponed these two to push the more severe directory traversal bug recently fixed. Could you contact upstream and check/discuss the impact and applicability to the Squeeze version? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
