[libmodule-signature-perl] 04/04: Prepare changelog for release to jessie-security
Salvatore Bonaccorso
carnil at debian.org
Thu May 14 13:29:51 UTC 2015
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to annotated tag debian/0.73-1+deb8u1
in repository libmodule-signature-perl.
commit 5b1d09a33dc621a90927a7df4b1a69f3b0b05778
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu May 14 12:59:14 2015 +0200
Prepare changelog for release to jessie-security
Git-Dch: Ignore
---
debian/changelog | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index a3b0ed9..bb7cb7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+libmodule-signature-perl (0.73-1+deb8u1) jessie-security; urgency=high
+
+ * Team upload.
+ * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch.
+ CVE-2015-3406: Module::Signature parses the unsigned portion of the
+ SIGNATURE file as the signed portion due to incorrect handling of PGP
+ signature boundaries.
+ CVE-2015-3407: Module::Signature incorrectly handles files that are not
+ listed in the SIGNATURE file. This includes some files in the t/
+ directory that would execute when tests are run.
+ CVE-2015-3408: Module::Signature uses two argument open() calls to read
+ the files when generating checksums from the signed manifest, allowing
+ to embed arbitrary shell commands into the SIGNATURE file that would
+ execute during the signature verification process. (Closes: #783451)
+ * Add CVE-2015-3409.patch patch.
+ CVE-2015-3409: Module::Signature incorrectly handles module loading
+ allowing to load modules from relative paths in @INC. A remote attacker
+ providing a malicious module could use this issue to execute arbitrary
+ code during signature verification. (Closes: #783451)
+ * Add Fix-signature-tests.patch patch.
+ Fix signature tests by defaulting to verify(skip=>1) when
+ $ENV{TEST_SIGNATURE} is true.
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Thu, 14 May 2015 12:58:30 +0200
+
libmodule-signature-perl (0.73-1) unstable; urgency=low
* Team upload.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git
More information about the Pkg-perl-cvs-commits
mailing list