Your message dated Mon, 20 Jun 2011 19:55:19 +0000
with message-id <[email protected]>
and subject line Bug#622817: fixed in perl 5.10.1-17squeeze1
has caused the Debian Bug report #622817,
regarding perl: CVE-2011-1487: taint laundering in lc, uc
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
622817: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622817
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perl
Version: 5.10.1-19
Severity: grave
Tags: security
Justification: user security hole
CVE description:
The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl
5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11,
do not apply the taint attribute to the return value upon processing
tainted input, which might allow context-dependent attackers to bypass
the taint protection mechanism via a crafted string.
Upstream report: <http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336>
Redhat bug: <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1487>
Fix from bleadperl:
<http://perl5.git.perl.org/perl.git/commitdiff/539689e74a3bcb04d29e4cd9396de91a81045b99>
Fedora fix in 5.12: <https://bugzilla.redhat.com/show_bug.cgi?id=692900>
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.10.1-17squeeze1
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:
libcgi-fast-perl_5.10.1-17squeeze1_all.deb
to main/p/perl/libcgi-fast-perl_5.10.1-17squeeze1_all.deb
libperl-dev_5.10.1-17squeeze1_amd64.deb
to main/p/perl/libperl-dev_5.10.1-17squeeze1_amd64.deb
libperl5.10_5.10.1-17squeeze1_amd64.deb
to main/p/perl/libperl5.10_5.10.1-17squeeze1_amd64.deb
perl-base_5.10.1-17squeeze1_amd64.deb
to main/p/perl/perl-base_5.10.1-17squeeze1_amd64.deb
perl-debug_5.10.1-17squeeze1_amd64.deb
to main/p/perl/perl-debug_5.10.1-17squeeze1_amd64.deb
perl-doc_5.10.1-17squeeze1_all.deb
to main/p/perl/perl-doc_5.10.1-17squeeze1_all.deb
perl-modules_5.10.1-17squeeze1_all.deb
to main/p/perl/perl-modules_5.10.1-17squeeze1_all.deb
perl-suid_5.10.1-17squeeze1_amd64.deb
to main/p/perl/perl-suid_5.10.1-17squeeze1_amd64.deb
perl_5.10.1-17squeeze1.debian.tar.gz
to main/p/perl/perl_5.10.1-17squeeze1.debian.tar.gz
perl_5.10.1-17squeeze1.dsc
to main/p/perl/perl_5.10.1-17squeeze1.dsc
perl_5.10.1-17squeeze1_amd64.deb
to main/p/perl/perl_5.10.1-17squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niko Tyni <[email protected]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 Apr 2011 09:02:05 +0300
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid
libperl5.10 libperl-dev perl
Architecture: source all amd64
Version: 5.10.1-17squeeze1
Distribution: stable-security
Urgency: low
Maintainer: Niko Tyni <[email protected]>
Changed-By: Niko Tyni <[email protected]>
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl-dev - Perl library: development files
libperl5.10 - shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules - Core Perl modules
perl-suid - runs setuid Perl scripts
Closes: 622817
Changes:
perl (5.10.1-17squeeze1) stable-security; urgency=low
.
* [SECURITY] CVE-2011-1487: taint laundering in lc, uc, et al.
(Closes: #622817)
Checksums-Sha1:
4aa4ad90b2ba3e2ba371b08ea69f3aeeba55b9c6 1721 perl_5.10.1-17squeeze1.dsc
8536ed1c14444d1efea069525a816fbc7be7109f 14117518 perl_5.10.1.orig.tar.gz
b3d4bfd99c44309fe9df758db80ff1e08987b703 116767
perl_5.10.1-17squeeze1.debian.tar.gz
b10039098fc946ba9784155f4bc768f3f5a7069f 52554
libcgi-fast-perl_5.10.1-17squeeze1_all.deb
be76317389a8c5ae5259af3d209b62f91fbe089f 7150160
perl-doc_5.10.1-17squeeze1_all.deb
d5873b09de484a1f23d229ab2a457b80dbd51b39 3482816
perl-modules_5.10.1-17squeeze1_all.deb
98d11eaebe023b7cdcfc92cbd49ff3da3704d83e 1059124
perl-base_5.10.1-17squeeze1_amd64.deb
ac8de5e2c103ef8e9d32e36190ffbe9aa31636b9 5836074
perl-debug_5.10.1-17squeeze1_amd64.deb
1f8a17bdcd9e4eff342f33dcd03aa4e9834b686c 35014
perl-suid_5.10.1-17squeeze1_amd64.deb
5f1ee8964e686e8ec308279128f18d13fe927148 1158
libperl5.10_5.10.1-17squeeze1_amd64.deb
4736d882228ceddd49255582be10d1405dd9a105 2562656
libperl-dev_5.10.1-17squeeze1_amd64.deb
9e2b01cb1e919c734b312014cc783375f0e06deb 4442152
perl_5.10.1-17squeeze1_amd64.deb
Checksums-Sha256:
b032414942939725c6f86e38e75ec1e32763869fe4d531b0fa62edbd14b8ee5a 1721
perl_5.10.1-17squeeze1.dsc
cb7f26ea4b2b28d6644354d87a269d01cac1b635287dae64e88eeafa24b44f35 14117518
perl_5.10.1.orig.tar.gz
309d990cccee04e29d004eaea445355df295c76137ddf0cb20b65d3a1b647199 116767
perl_5.10.1-17squeeze1.debian.tar.gz
844b45f51dd34e264677e78cb9d72709b20fe7a78570f9ee2f55e493551371cd 52554
libcgi-fast-perl_5.10.1-17squeeze1_all.deb
b58da70a1cbec2843c46b8d856f63f25b2db213357a05761e8db9741835f4abb 7150160
perl-doc_5.10.1-17squeeze1_all.deb
c4da792f81b93088fd6298dbc9a72f1a4819645d3e43ea7eb967808dc9c5f689 3482816
perl-modules_5.10.1-17squeeze1_all.deb
bb6095903ba0b82fefd62b13d65836010659c5579a07d587e8cb8de103370862 1059124
perl-base_5.10.1-17squeeze1_amd64.deb
e02a36be2dbc4884c342280d5de3dc9eadd104244e224b92293fb6c56ec4e2d2 5836074
perl-debug_5.10.1-17squeeze1_amd64.deb
44704e41307eb69b9b25efbabb155522a278e5a3736007783d5dfb9a158639e7 35014
perl-suid_5.10.1-17squeeze1_amd64.deb
aad47a790e4fd5c4bb468f35df67a71ab56a438174647cf73e117dc62e279837 1158
libperl5.10_5.10.1-17squeeze1_amd64.deb
b720068285ad7b08b2e43e09c7e9ed8a8213a700d020eba385ea889a7ea2e2ef 2562656
libperl-dev_5.10.1-17squeeze1_amd64.deb
27828a3b36a882a7df67db6a4e2a6b3fa00ca6b3454962090dc723daeda7b9d7 4442152
perl_5.10.1-17squeeze1_amd64.deb
Files:
3764facb0cb21cc4b522186811d8ad0d 1721 perl standard perl_5.10.1-17squeeze1.dsc
b9b2fdb957f50ada62d73f43ee75d044 14117518 perl standard perl_5.10.1.orig.tar.gz
a9401fa43e1b93a1f6bd54c530a4b5f4 116767 perl standard
perl_5.10.1-17squeeze1.debian.tar.gz
760d14ffa4033f8ac764c3948c2aa19a 52554 perl optional
libcgi-fast-perl_5.10.1-17squeeze1_all.deb
2a10e477a57ac4799bcea04f8e932e4b 7150160 doc optional
perl-doc_5.10.1-17squeeze1_all.deb
1bdb1df88ca4de0c30fc2b4b3b1ffcb2 3482816 perl standard
perl-modules_5.10.1-17squeeze1_all.deb
e0b30c84a9918dc1a6b08e4f3285cedb 1059124 perl required
perl-base_5.10.1-17squeeze1_amd64.deb
7475aec3cfb34a67eb89544828b157d0 5836074 debug extra
perl-debug_5.10.1-17squeeze1_amd64.deb
a46096f5942ffeb07e348aa95287b85c 35014 perl optional
perl-suid_5.10.1-17squeeze1_amd64.deb
f8fe78988a97cf8c0f9618aca8818373 1158 libs optional
libperl5.10_5.10.1-17squeeze1_amd64.deb
817f41e75aa0fa1510ebabbabca110cb 2562656 libdevel optional
libperl-dev_5.10.1-17squeeze1_amd64.deb
c2b1d9d235203cd97012e50a2f6bbd81 4442152 perl standard
perl_5.10.1-17squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJN/PcxAAoJEL97/wQC1SS+4z0H/3dINhDxDpLn6vooLYj+zh6R
d+70olH6SxQV+NYUpLEczyO0fyfAcHQIIcG4bcq/Sr+0piyx1UuBrFcVevk0qzxp
kOgk2fskzwH+kMqFN8SytbCcQ9wxeiSca/SBrjnhiC6RbJS/LGqFk96zcV3KKetN
aeqrSYG3an/1SixgpYF/riQ4FLcpbNsvw0dgKhd+BsLzxCrAL7D01shGel3GpYP/
+JAlnESjLxZ4+3hxFrPnnQujVMWi/j2lumVgsDUcVnUcly7WuZeeY9FlguTyOXui
VeXdTsCbZ5hdPVC+0uH0Z9kcYK5VPf0ap0tMv6isYpYGr/QRn5qbA/13hYU3z2w=
=Ii2p
-----END PGP SIGNATURE-----
--- End Message ---
