Bug#606995: Bug#606370: CVE-2010-2761 CVE-2010-4410 CVE-2010-4411
Niko Tyni
ntyni at debian.org
Wed Jan 5 12:48:55 UTC 2011
On Mon, Dec 27, 2010 at 04:23:40PM +0200, Niko Tyni wrote:
> On Mon, Dec 27, 2010 at 03:33:21PM +0200, Niko Tyni wrote:
> > On Wed, Dec 08, 2010 at 08:53:28PM +0100, Moritz Muehlenhoff wrote:
> > > On Wed, Dec 08, 2010 at 08:35:47PM +0100, Ansgar Burchardt wrote:
> > > > Moritz Muehlenhoff <jmm at debian.org> writes:
> > > > > Three security issues have been reported in libcgi-pm-perl:
> > > > >
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-2761
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-4410
> > > > > http://security-tracker.debian.org/tracker/CVE-2010-4411
> >
> > > > I'm not quite sure yet what CVE-2010-4411 refers to. It seems that the
> > > > fix for CVE-2010-2761 was not complete, but it is not a different, new
> > > > issue?
>
> > https://github.com/markstos/CGI.pm/commit/77b3b2056c003edee034a2a890212edab800900d
> >
> > Mark, is this double newline injection fix the new patch referred above?
I think this is confirmed by
http://www.openwall.com/lists/oss-security/2011/01/04/9
which also contains a link to the corresponding CGI-Simple fix at
http://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da
There's going to be a new upstream release of CGI.pm soon.
I hope I can make the time for perl 5.10.1-17 to unstable with just the
CGI.pm fixes and urgency=high in the next few days. (If somebody else
wants to do it, I'm ecstatic.)
--
Niko Tyni ntyni at debian.orgg
More information about the Perl-maintainers
mailing list