[libmodule-signature-perl] 04/04: Prepare changelog for release to wheezy-security
Salvatore Bonaccorso
carnil at debian.org
Thu May 14 16:40:45 UTC 2015
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch wheezy
in repository libmodule-signature-perl.
commit cb1682912b5449ba00f200a855bf3c93f8604864
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu May 14 17:36:08 2015 +0200
Prepare changelog for release to wheezy-security
Git-Dch: Ignore
---
debian/changelog | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 3d354ac..5b7fc83 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+libmodule-signature-perl (0.68-1+deb7u2) wheezy-security; urgency=high
+
+ * Team upload.
+ * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch.
+ CVE-2015-3406: Module::Signature parses the unsigned portion of the
+ SIGNATURE file as the signed portion due to incorrect handling of PGP
+ signature boundaries.
+ CVE-2015-3407: Module::Signature incorrectly handles files that are not
+ listed in the SIGNATURE file. This includes some files in the t/
+ directory that would execute when tests are run.
+ CVE-2015-3408: Module::Signature uses two argument open() calls to read
+ the files when generating checksums from the signed manifest, allowing
+ to embed arbitrary shell commands into the SIGNATURE file that would
+ execute during the signature verification process. (Closes: #783451)
+ * Add CVE-2015-3409.patch patch.
+ CVE-2015-3409: Module::Signature incorrectly handles module loading
+ allowing to load modules from relative paths in @INC. A remote attacker
+ providing a malicious module could use this issue to execute arbitrary
+ code during signature verification. (Closes: #783451)
+ * Add Fix-signature-tests.patch patch.
+ Fix signature tests by defaulting to verify(skip=>1) when
+ $ENV{TEST_SIGNATURE} is true.
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Thu, 14 May 2015 17:35:32 +0200
+
libmodule-signature-perl (0.68-1+deb7u1) wheezy; urgency=low
* Team upload.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git
More information about the Pkg-perl-cvs-commits
mailing list