libmodule-signature-perl_0.68-1+deb7u2_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Fri May 15 18:20:10 UTC 2015
Mapping oldstable-security to oldstable-proposed-updates.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 May 2015 17:35:32 +0200
Source: libmodule-signature-perl
Binary: libmodule-signature-perl
Architecture: source all
Version: 0.68-1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil at debian.org>
Description:
libmodule-signature-perl - module to manipulate CPAN SIGNATURE files
Closes: 783451
Changes:
libmodule-signature-perl (0.68-1+deb7u2) wheezy-security; urgency=high
.
* Team upload.
* Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch.
CVE-2015-3406: Module::Signature parses the unsigned portion of the
SIGNATURE file as the signed portion due to incorrect handling of PGP
signature boundaries.
CVE-2015-3407: Module::Signature incorrectly handles files that are not
listed in the SIGNATURE file. This includes some files in the t/
directory that would execute when tests are run.
CVE-2015-3408: Module::Signature uses two argument open() calls to read
the files when generating checksums from the signed manifest, allowing
to embed arbitrary shell commands into the SIGNATURE file that would
execute during the signature verification process. (Closes: #783451)
* Add CVE-2015-3409.patch patch.
CVE-2015-3409: Module::Signature incorrectly handles module loading
allowing to load modules from relative paths in @INC. A remote attacker
providing a malicious module could use this issue to execute arbitrary
code during signature verification. (Closes: #783451)
* Add Fix-signature-tests.patch patch.
Fix signature tests by defaulting to verify(skip=>1) when
$ENV{TEST_SIGNATURE} is true.
Checksums-Sha1:
a66efd7d66a0864beee6eda77cf094000b77891f 2242 libmodule-signature-perl_0.68-1+deb7u2.dsc
d7d640650d6917e30d46d50b9d8806c7abf88a6e 76485 libmodule-signature-perl_0.68.orig.tar.gz
0b29fb6e303e2aba8850a15991e2ecd189d97c5f 10160 libmodule-signature-perl_0.68-1+deb7u2.debian.tar.gz
032c38a36857e7f6cd86e96d3fc627da4c65a48a 31432 libmodule-signature-perl_0.68-1+deb7u2_all.deb
Checksums-Sha256:
fa89b1243e1763f9ba9c4c2cdcfcf6c5baeef33173ef69ea783b9ac0e34b3ddc 2242 libmodule-signature-perl_0.68-1+deb7u2.dsc
623d7d8d26dceac49b043f5bc2d83eea95d6dd75bf09200a6631180774c8eb5f 76485 libmodule-signature-perl_0.68.orig.tar.gz
cbcb8610024bd53fa814bdda96a2c0d912ed8d36b120ac93738e64a5ac883afe 10160 libmodule-signature-perl_0.68-1+deb7u2.debian.tar.gz
d86bdbf028ab12dac67fcad53787fead8a8314294b68c6758dbb084acf8979d2 31432 libmodule-signature-perl_0.68-1+deb7u2_all.deb
Files:
5f306a3659e34b656847b55ec3a5c3d6 2242 perl optional libmodule-signature-perl_0.68-1+deb7u2.dsc
c63c0b5c4e7162fc0c44512e1f832e5e 76485 perl optional libmodule-signature-perl_0.68.orig.tar.gz
f814d419a26b7d3e5160d48e69cdd4ab 10160 perl optional libmodule-signature-perl_0.68-1+deb7u2.debian.tar.gz
a232a8c294fe64680f34724327442b50 31432 perl optional libmodule-signature-perl_0.68-1+deb7u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVVM9tAAoJEAVMuPMTQ89E0JIP/Rrmo5wjrqqPUyEEqXqbOAK6
c5l54hFsmvQez5r+visFrfRzjQXo6kFnoCLsdy8dMfLGSdYK1lpFtSGtfscvBKQO
LxoC0nHpWlss+6Ok7grI1tIdO01nthoE4QfbN+0yWo5GVRlR+FwLwmkQ6FzhomOE
0nJA7fohx02cHC01pMXvbDpgUyaUIjyUdidXeOtawL4xZDWL0UqKxrBtzeZcJDZY
2qhAeT/tmpNUb3zZBCAi75FZRvx6BsqFwDqMjeTaw6WiWcvytpD8V9qXUnyNuCY8
pnARe3s+O9iXDw4F+IeO3Jz1RmW/bIs7kS+68bIjSdfsereBaQj0CdXrsWdW2tFB
LlJZyGOtLpawgBOuJ3L0JAhF8ml8ohUYPSp9dreOUuYlF6ecwm0O/4R89Hdp///L
A/GMs3K0NXCRiTgnFUUB0eO2YF//HJpobDqYQdIUo8URH6VXhs+MN9xaVCqgMKon
HLzZbWmRwS1vufFxopOO8xc0T2jPYxmHRw2olcxdiG7xgjAioqa9qyRQtvIJ6Si1
gR3qWJeMK/aFUr8+j6HIQ0JASCtB2q+SPc/VTr851oV4C+VC5HXUkKaVT2IfuIo0
G0xS08iwZV+ysHgfuKzfcFiZ4+HQ5UFbm7J6kUoXm106cFJqTHCxV/4dfnyd22aD
d/Fdb4SbY91/FBGi5vuD
=pGAN
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the pkg-perl-maintainers
mailing list