Bug#694519: tpu: libcgi-pm-perl/3.59+dfsg-1+deb7u1 (pre-approval)
[trimmed CC list]
On Tue, 2012-11-27 at 08:27 +0100, Salvatore Bonaccorso wrote:
> @ReleaseTeam: This is about #693421 "CVE-2012-5526 CGI.pm: Newline
> injection due to improper CRLF escaping in Set-Cookie and P3P
> headers".
>
> We could wait for some more testing in unstable for the version there.
> The patch for tpu would be the "same" (the package cannot go trough
> unstable -> testing).
fwiw, I've been having a look at the diff, and filtering out meta-data,
tests and documentation changes seems to give a reasonably sized diff:
$ debdiff ftp/pool/main/libc/libcgi-pm-perl/libcgi-pm-perl_3.{59+dfsg-1,61-2}.dsc | filterdiff -x '*/t/*' -x '*/META.*' -x '*/repack.*' -x '*/Carp.pm' -x '*/debian/copyright' -x '*/Changes' -x '*/MANIFEST' -x '*/debian/changelog' -x '*/debian/watch'| diffstat
/tmp/llc5QdkBjB/libcgi-pm-perl-3.61/examples/dna.small.gif |binary
/tmp/llc5QdkBjB/libcgi-pm-perl-3.61/examples/wilogo.gif |binary
libcgi-pm-perl-3.61/Makefile.PL | 1
libcgi-pm-perl-3.61/debian/control | 4
libcgi-pm-perl-3.61/debian/patches/0001-CR-escaping-for-P3P-and-Set-Cookie-headers.patch | 67 ++++++++++
libcgi-pm-perl-3.61/debian/patches/series | 1
libcgi-pm-perl-3.61/lib/CGI.pm | 22 +--
libcgi-pm-perl-3.61/lib/CGI/Cookie.pm | 2
8 files changed, 85 insertions(+), 12 deletions(-)
The vast majority of that is the security update which is the subject of
this report.
Regards,
Adam
Reply to: