Dominic Hargreaves <d...@earth.li> writes: > On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:
>> The changes look sane "in theory". They address all mentions of >> FCGI::ENV in the source. >> The RT testing by Dominic seems sufficient additional assurance to me. > Russ, I guess you've been involved in fixing this locally; are you able > to make any comments on the soundness of the patch at > <http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=blob;f=debian/patches/cve-2011-2766.patch;h=62ca4ac0aff279faba37ce2168fccd248e5c45a6;hb=48b6294e73f73323310250fde667b2a2b7032df2> > ? Yeah, that should be fine. Personally, I would have just added a second variable that's set to true if the environment was stored, since I think it's easier to read and more comprehensible, but this is equivalent. I haven't actually tested it since we worked around the problem in our application instead (by ensuring that some environment variable was always set), but I'm pretty sure that will work. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
