libmodule-signature-perl_0.73-1+deb8u1_amd64.changes ACCEPTED into proposed-updates->stable-new

Fri May 15 18:20:14 UTC 2015

Mapping stable-security to proposed-updates.

Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 May 2015 12:58:30 +0200
Source: libmodule-signature-perl
Binary: libmodule-signature-perl
Architecture: source all
Version: 0.73-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil at debian.org>
Description:
 libmodule-signature-perl - module to manipulate CPAN SIGNATURE files
Closes: 783451
Changes:
 libmodule-signature-perl (0.73-1+deb8u1) jessie-security; urgency=high
 .
   * Team upload.
   * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch.
     CVE-2015-3406: Module::Signature parses the unsigned portion of the
     SIGNATURE file as the signed portion due to incorrect handling of PGP
     signature boundaries.
     CVE-2015-3407: Module::Signature incorrectly handles files that are not
     listed in the SIGNATURE file. This includes some files in the t/
     directory that would execute when tests are run.
     CVE-2015-3408: Module::Signature uses two argument open() calls to read
     the files when generating checksums from the signed manifest, allowing
     to embed arbitrary shell commands into the SIGNATURE file that would
     execute during the signature verification process. (Closes: #783451)
   * Add CVE-2015-3409.patch patch.
     CVE-2015-3409: Module::Signature incorrectly handles module loading
     allowing to load modules from relative paths in @INC. A remote attacker
     providing a malicious module could use this issue to execute arbitrary
     code during signature verification. (Closes: #783451)
   * Add Fix-signature-tests.patch patch.
     Fix signature tests by defaulting to verify(skip=>1) when
     $ENV{TEST_SIGNATURE} is true.
Checksums-Sha1:
 b6990c71af5da61b71d4bd4bca27098a2958a8b7 2267 libmodule-signature-perl_0.73-1+deb8u1.dsc
 0bb005a69aae5f7f7511f5d6b1a61762bca27173 77407 libmodule-signature-perl_0.73.orig.tar.gz
 efa31256e138a422964ef3d542398651b4204d82 9228 libmodule-signature-perl_0.73-1+deb8u1.debian.tar.xz
 2efa2008b111775f84e708f50af5a1cf5138ec9a 30370 libmodule-signature-perl_0.73-1+deb8u1_all.deb
Checksums-Sha256:
 c6077564106e19aa7e3c467691b532e6ba3d816a2b3e616845366acd183ab58d 2267 libmodule-signature-perl_0.73-1+deb8u1.dsc
 718520721888ac4a7d930e26c4cd628ca24d60b2b18bddb081b331731a94bbc5 77407 libmodule-signature-perl_0.73.orig.tar.gz
 55f91aa141ce5ad92d91f7f09047d11ac6c2983cb23d1198204afb3a39aaefc4 9228 libmodule-signature-perl_0.73-1+deb8u1.debian.tar.xz
 edfa422b39a38c2d67defd43914e530c4bc6f180a62612977dd6117e209beb17 30370 libmodule-signature-perl_0.73-1+deb8u1_all.deb
Files:
 756f562f239e87355814b389af5746f7 2267 perl optional libmodule-signature-perl_0.73-1+deb8u1.dsc
 de27bbca948ba8a13a7f614414cb623d 77407 perl optional libmodule-signature-perl_0.73.orig.tar.gz
 2e37f224f43f759c17572680a4260c14 9228 perl optional libmodule-signature-perl_0.73-1+deb8u1.debian.tar.xz
 c7e59f278e5e54b3643614501b67109b 30370 perl optional libmodule-signature-perl_0.73-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVVKKZAAoJEAVMuPMTQ89EICEP/3JQ27DwJqOrTr0ZmLSw89Lc
GT2h3o5GsM21QDINGUzCinC8zliVF9lcx7hrIR1nNLPxpWarvR7TF2xGRLCvsoo7
n0l2ALVM5bok05eaLcL96fpiLIawT5iJcwq6HqZ+60FMZhEbKlk7EiLzrJQk5xfs
x0IEdZPyh/pZarY7yPud+qFN6up8o4ydn4hwIcHt1z4A40mJodoJEGmjY5aFS1Rh
OHza0dB4ZGC1xuovf4Nl34ng2xUjMltQyuCGGSBHob7a94FFawnj6qpULLTISlgI
DJ1jFmg8N9w2JJ5Vjp6U+pQSUF3yUpYiR9/GIppuG617l/URgOzL0yIe0zqP03u+
rnXJ4a31lYxu1j48H7aU07oLisjqGcZrYAKKFLktdSkjZksqkl8Vb60b3quVtQDE
Z1O1PI5cnWN93SKnFuO2yZuoiE0FfTZoLTEw1O0c6bfmzokij83dN3vQIUMbIzOy
kwvSgE1/HCKnPVQUmxbMgLQ+/xTOeuTHHn8i/cuwdYxfpOYtMkQCq0qvhmyuOhrV
ObHI8+5HPk4NHeMxqnryMCQzk/J/bStc22o4OnVAF7G7j3yhjrPPVPHtKU5iRNB6
SwNUTWOoeSf0Iuc6xhSYkSo7U6nBgzPK6O8loHOPcDMPpbhYB8erhHpATocpHUrp
6iLpjaV9pSuJif8DwFOZ
=wZmv
-----END PGP SIGNATURE-----

Thank you for your contribution to Debian.