Bug#702296: marked as done (perl: CVE-2013-1667: rehashing flaw)

Tue, 12 Mar 2013 17:21:23 -0700 

Your message dated Wed, 13 Mar 2013 00:17:58 +0000
with message-id <e1ufzoi-0007dc...@franck.debian.org>
and subject line Bug#702296: fixed in perl 5.16.3-1
has caused the Debian Bug report #702296,
regarding perl: CVE-2013-1667: rehashing flaw
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
702296: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702296
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: perl
Version: 5.10.1-17squeeze4
Severity: grave
Tags: security patch
Control: found -1 5.16.2-1

Hi Niko and Dominic

A a hash-related flaw was announced today and CVE-2013-1667 assigned
to it.

For further reference see [1,2].

 [1]: http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html
 [2]: https://security-tracker.debian.org/tracker/CVE-2013-1667

Could you please include the CVE identifier when fixing the issue? I
assume this should get a DSA.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: perl
Source-Version: 5.16.3-1

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 12 Mar 2013 23:08:47 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.16 
libperl-dev perl
Architecture: source all i386
Version: 5.16.3-1
Distribution: experimental
Urgency: low
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.16 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
Closes: 678138 698174 698320 702094 702296 702416 702562
Changes: 
 perl (5.16.3-1) experimental; urgency=low
 .
   * Remove Depends/Recommends/Suggests on modules deprecated in 5.12 and
     5.14 (Closes: #702094)
   * Fix FTBFS with findutils from experimental by not using deprecated
     permissions check syntax; thanks to Roland Stigge (Closes: #702562)
   * Merge 5.14.2-17, 5.14.2-18, 5.14.2-19 and 5.14.2-20 from unstable
     + Fix a double-free bug in Digest::SHA. (Closes: #698174)
       + update the Breaks: entry accordingly.
     + Avoid wraparound when casting unsigned size_t to signed ssize_t.
       (Closes: #698320)
     + [SECURITY] CVE-2013-1667: fix a rehashing DoS opportunity
       against code that uses arbitrary user input as hash keys.
       (Closes: #702296)
     + Fix an Encode memory leak that occurred in the UTF-8 encoding.
       (Closes: #702416)
       + upgrade the Broken versions of the separate libencode-perl
         package accordingly.
   * Update debian/t/control.t to reflect Module::CoreList version
     inconsistency and to remove references to non-existent Breaks
   * Remove unneeded versioned dependencies on gcc and cpio
     (Closes: #678138)
   * Fix debian/copyright syntax (thanks, Lintian)
   * Include correct branch name in Vcs-Git field
   * New upstream release
Checksums-Sha1: 
 5d0f7607020abd977486a0a4b418dcece95150de 1705 perl_5.16.3-1.dsc
 060bc17cf9f142d043f9bf7b861422ec624875ea 13724906 perl_5.16.3.orig.tar.bz2
 631b183937ff539b4361af7f5c4923011920305d 127498 perl_5.16.3-1.debian.tar.gz
 e03a4805d611836c9969aaa73a5429bd42ae58e3 75866 
libcgi-fast-perl_5.16.3-1_all.deb
 b7cd0a30c32be7248e4c746e0142ca03c5059b9d 7905192 perl-doc_5.16.3-1_all.deb
 8219757f25af30e401ce52d78b42a7d5856a971f 3836026 perl-modules_5.16.3-1_all.deb
 558346974745ad712e2eeed7ef3f91e70e8ee6bb 1528894 perl-base_5.16.3-1_i386.deb
 8d4884f3ab524ace00341e16d48c3b5ee837d50d 9258026 perl-debug_5.16.3-1_i386.deb
 265a0d43f3773ec3ad9d5263e8da4d7a3eaf4706 762998 libperl5.16_5.16.3-1_i386.deb
 cf1ea91354f7ff66426b51d729e139322adb4c8b 3162010 libperl-dev_5.16.3-1_i386.deb
 6cb3abc3d59ad2252c319b376d3da48d063e3fa5 3706398 perl_5.16.3-1_i386.deb
Checksums-Sha256: 
 e6276eb0436aecb9c2047a138f3a11c21f4ee0f541ca370d34fd2bb4c9697b9d 1705 
perl_5.16.3-1.dsc
 bb7bc735e6813b177dcfccd480defcde7eddefa173b5967eac11babd1bfa98e8 13724906 
perl_5.16.3.orig.tar.bz2
 391d843d8855a6a6437cec2cfcd992bf71a9fee35d0a7c2674672254b97bfc45 127498 
perl_5.16.3-1.debian.tar.gz
 e3c94db606bd035745c7259f400ad35f0c5e0cf99487506a4df8a3b82a4239f2 75866 
libcgi-fast-perl_5.16.3-1_all.deb
 a46e2bf544104d439aa94dcc3feddd3271e836147f5ecf802e3347ab46470e61 7905192 
perl-doc_5.16.3-1_all.deb
 8c36a6f3b03b465ed320f5dd4683f7c8392aa5db3e6c71eda7c85cc60b33fe04 3836026 
perl-modules_5.16.3-1_all.deb
 578865b02ae4f2cd0e8cfbacc57551fbac5cdb94dd89951ea9b23f2f0a3c4618 1528894 
perl-base_5.16.3-1_i386.deb
 c1d25fba85c6eb5e03dae0a1f29650b71d85f2ec5c59ef98b6311af9dcb2e489 9258026 
perl-debug_5.16.3-1_i386.deb
 9ff77a248791dde88b72d3738304429f0c458f6bc9b1b5cfcedb0f94e80c99d4 762998 
libperl5.16_5.16.3-1_i386.deb
 64f41120a575daeb9cba8c5540c53bf073701b5c207ceccb28a04159c626cd2e 3162010 
libperl-dev_5.16.3-1_i386.deb
 364ccbc5790cd661ad3e4af08fb0762bbe4ae8d4dd7affa507df66e16c20186b 3706398 
perl_5.16.3-1_i386.deb
Files: 
 710059d45f42fd1e860629f66754f6ca 1705 perl standard perl_5.16.3-1.dsc
 025102de0e4a597cf541e57da80c6aa3 13724906 perl standard 
perl_5.16.3.orig.tar.bz2
 8429fd17b7a25b4925705fea50bffdf1 127498 perl standard 
perl_5.16.3-1.debian.tar.gz
 4c4d769e887596ebdbd1567b45528915 75866 perl optional 
libcgi-fast-perl_5.16.3-1_all.deb
 787ac68a69da8a1e98b38fc382db2f44 7905192 doc optional perl-doc_5.16.3-1_all.deb
 5843c3b48dbe90b9b7e347e01325ca03 3836026 perl standard 
perl-modules_5.16.3-1_all.deb
 61666fe98c67f8c22a4e79b297c20b62 1528894 perl required 
perl-base_5.16.3-1_i386.deb
 c7cf9d87092c43f6694bb75b7e7148ae 9258026 debug extra 
perl-debug_5.16.3-1_i386.deb
 152fa79dd793e204ada7331abea9a0a4 762998 libs optional 
libperl5.16_5.16.3-1_i386.deb
 052f60e24825c992cfeebf07ace0d1b6 3162010 libdevel optional 
libperl-dev_5.16.3-1_i386.deb
 3ec6da29b5181633d0edee0ee5832cf1 3706398 perl standard perl_5.16.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRP8NgYzuFKFF44qURAubQAJ0as1romee4UwCplaAnEv0yDK3sjACgr7rY
o1YHQvRmRytJLdX92ycDQrs=
=fnI2
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to