On Tue, Jan 4, 2011 at 19:45:56 +0100, gregor herrmann wrote: > On Mon, 03 Jan 2011 19:15:03 +0100, Moritz Muehlenhoff wrote: > > > On Mon, Dec 27, 2010 at 04:12:16PM +0100, gregor herrmann wrote: > > > On Mon, 27 Dec 2010 16:23:40 +0200, Niko Tyni wrote: > > > > Assuming this is the case, I'm attaching preliminary patches for > > > Thanks! > > Could you upload the fixes targeted at squeeze to tpu? > > I'm happy to take care of libcgi-pm-perl. > > If the release team agrees (cc'ed) that could be debian-release@lists works better than debian-release@bugs. Fixed. > - 3.38-2lenny2 / stable-proposed-updates > - 3.49-1squeeze1 / testing-proposed-updates > - 3.50-2 / unstable > > (Alternative: just upload 3.50-2 to unstable and let it migrate to > testing.) > > > I'd rather leave perl-modules to Niko. > > > Regarding libcgi-simple-perl there's (a) a patch against 1.111-1 by > Damyan in our repo (plus tons of unrelated changes that have > accumulated since the last upload :/) but (b) also a new upstream > release: > > http://cpansearch.perl.org/src/ANDYA/CGI-Simple-1.113/Changes > > 1.113 2010-12-27 > - (thanks to Yamada Masahiro) randomise multipart boundary string > (security). > ... > Security: Fix handling of embedded malicious newlines in header > values This is a direct port of the same security fix that > > Security: use a random MIME boundary by default in > multipart_init(). This is a direct port of the same issue > which was addressed in CGI.pm, preventing some kinds of > potential header injection attacks. > > Port from CGI.pm: Fix multi-line header parsing. > This fix is covered by the tests in t/header.t added in > the previous patch. If you run those tests without this > patch, you'll see how the headers would be malformed > without this fix. > > Port CRLF injection prevention from CGI.pm > > I'm not sure what the best way to proceed is here; mabye Damyan has > more ideas since he's already worked on that package? > > Cheers, Julien
Attachment:
signature.asc
Description: Digital signature