Accepted libmodule-signature-perl 0.63-1+squeeze2 (source all) into squeeze-lts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 01 Jul 2015 12:20:06 +0200
Source: libmodule-signature-perl
Binary: libmodule-signature-perl
Architecture: source all
Version: 0.63-1+squeeze2
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Santiago Ruano Rincón <santiagorr@riseup.net>
Description:
libmodule-signature-perl - module to manipulate CPAN SIGNATURE files
Changes:
libmodule-signature-perl (0.63-1+squeeze2) squeeze-lts; urgency=medium
.
* Non-maintainer upload by the Squeeze LTS team.
* Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch.
CVE-2015-3406: Module::Signature parses the unsigned portion of the
SIGNATURE file as the signed portion due to incorrect handling of PGP
signature boundaries.
CVE-2015-3407: Module::Signature incorrectly handles files that are not
listed in the SIGNATURE file. This includes some files in the t/
directory that would execute when tests are run.
CVE-2015-3408: Module::Signature uses two argument open() calls to read
the files when generating checksums from the signed manifest, allowing
to embed arbitrary shell commands into the SIGNATURE file that would
execute during the signature verification process.
* Add CVE-2015-3409.patch.
CVE-2015-3409: Module::Signature incorrectly handles module loading
allowing to load modules from relative paths in @INC. A remote attacker
providing a malicious module could use this issue to execute arbitrary
code during signature verification.
Checksums-Sha1:
ef5477c7a10b8a19981666b9fe2779ac2301892a 2196 libmodule-signature-perl_0.63-1+squeeze2.dsc
894e373ae7671d5d47c1c0995615cb79fc20dbe0 9376 libmodule-signature-perl_0.63-1+squeeze2.debian.tar.gz
7cf5802013e361d1899b38f5b0a67f41d77d53ec 29542 libmodule-signature-perl_0.63-1+squeeze2_all.deb
Checksums-Sha256:
5329700977e8e60a1d9007b9030d128c4fcd2ab8c362a7847ec7d10178387b38 2196 libmodule-signature-perl_0.63-1+squeeze2.dsc
cd71935c840ab57d16c961cd2ed5c04d20a26fdf0d9e5ae935c67591b21b08e3 9376 libmodule-signature-perl_0.63-1+squeeze2.debian.tar.gz
a881b74db325c64da0c2466dfc9ba8c579c2b890793acf9e89411278b0dc0d62 29542 libmodule-signature-perl_0.63-1+squeeze2_all.deb
Files:
021f433fc99b6c2dd497df8ce008b869 2196 perl optional libmodule-signature-perl_0.63-1+squeeze2.dsc
65c05bb6f3ad83707bf5d970d8993fef 9376 perl optional libmodule-signature-perl_0.63-1+squeeze2.debian.tar.gz
cf964ac3a02d9a010568e4664c7f9efc 29542 perl optional libmodule-signature-perl_0.63-1+squeeze2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVk8tzAAoJEN5v/bjI1ki9t9kP/0QzUu8Bd1FLhrlh5rsOUduC
ekd/nQ8IZB01YibpVSccCKhqslENIOnx6C8FAu6iNwIWZ/Ejd/QBnjYInm4j7beL
I/uN3vXgOgcFhbDpUT7MS8nGVjczp2RC5wUdbqrGHTmhxT24bQ5RNrhIzDYEqUNu
HYkwid0sY9IjPFjsrUp2AKV4W9EONSKnUOO2cPMX8uqTyLiNbOJ8Cx/Lsh7FnTRo
hdR5kfbLXRbbfXfsa/YvIRwK03gOCOH1Ew2Ekr6FLsezFcvhiqkFfpKYPsxTD318
/xNF7t2QR1apit+O6u7hrqKp9BST2aggoXmQQtUXTc6sH3yGytCU0vAAzhatG2Ft
tjh1yicUfJXdfEvrwQh/Z/YflBsahbxh/KKbplit4iAxKePVO82HmTw7AesN14/z
F9TSV19x3TRhHs7ywneL3E2+rJ5MyKLM5AwAS0RYL7ec9tIc6FSo2sgzb/Tc+iJF
OuPZH77A65SNSBZr8ffunztjuIdb3CkUCgSh6Wdq6g2518wFIiNyaKxq/47782KA
AViaZT+LyFcJZszQrZVj/zj7R14hpg+i/QZ4dsHDevZxEN/p4m7jM0ppLvZ2b+YZ
5FiD2KoEmdNapdMu0lFgrnLI8qZ1D7Hr8dh9Gc1bVB3AqBEfrUpxDTVS4jeFVGFw
+dzyAppbhJWhE0+bkhFm
=DK6S
-----END PGP SIGNATURE-----
Reply to: