Your message dated Sun, 16 Oct 2016 17:03:43 +0000
with message-id <e1bvoqd-0001sf...@franck.debian.org>
and subject line Bug#815840: fixed in libfcgi-perl 0.78-2
has caused the Debian Bug report #815840,
regarding libfcgi-perl: bundles libfcgi, vulnerable to CVE-2012-6687
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
815840: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815840
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libfcgi-perl
Version: 0.77-1+b2
Severity: important
Tags: security upstream

It would appear that the version of libfcgi that upstream has bundled is 
vulnerable to CVE-2012-6687.

I had hoped that unbundling would be our easiest solution here (adding 
"libfcgi-dev" to "Build-Depends" and adding "override_dh_auto_configure" to 
include "--use-installed"), but it runs into issues with "FCGX_Detach" missing:

|    dh_auto_test -O--buildsystem=perl_makemaker
|       make -j1 test TEST_VERBOSE=1
| make[1]: Entering directory '/usr/src/pkg'
| Running Mkbootstrap for FCGI ()
| chmod 644 "FCGI.bs"
| PERL_DL_NONLAZY=1 "/usr/bin/perl" "-Iblib/lib" "-Iblib/arch" test.pl
| 1..1
| # Running under perl version 5.022001 for linux
| # Current time local: Wed Feb 24 23:47:47 2016
| # Current time GMT:   Wed Feb 24 23:47:47 2016
| # Using Test.pm version 1.26
| Can't load 'blib/arch/auto/FCGI/FCGI.so' for module FCGI: 
blib/arch/auto/FCGI/FCGI.so: undefined symbol: FCGX_Detach at 
/usr/share/perl/5.22/XSLoader.pm line 70.
|  at blib/arch/FCGI.pm line 8.
| BEGIN failed--compilation aborted at blib/arch/FCGI.pm line 9.
| Compilation failed in require at test.pl line 3.
| BEGIN failed--compilation aborted at test.pl line 3.
| Makefile:1017: recipe for target 'test_dynamic' failed
| make[1]: Leaving directory '/usr/src/pkg'
| make[1]: *** [test_dynamic] Error 2
| dh_auto_test: make -j1 test TEST_VERBOSE=1 returned exit code 2


I'm in a bit over my head, but hopefully something sane can be done here (since 
upstream doesn't seem to be especially active based on the date of the most 
recent release and the activity on the issue tracker).

Thanks!

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages libfcgi-perl depends on:
ii  libc6                       2.21-9
ii  perl                        5.22.1-7
ii  perl-base [perlapi-5.22.1]  5.22.1-7

libfcgi-perl recommends no packages.

libfcgi-perl suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: libfcgi-perl
Source-Version: 0.78-2

We believe that the bug you reported is fixed in the latest version of
libfcgi-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 815...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Schlichting <f...@debian.org> (supplier of updated libfcgi-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 16 Oct 2016 15:48:17 +0200
Source: libfcgi-perl
Binary: libfcgi-perl
Architecture: source amd64
Version: 0.78-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Florian Schlichting <f...@debian.org>
Description:
 libfcgi-perl - helper module for FastCGI
Closes: 815840
Changes:
 libfcgi-perl (0.78-2) unstable; urgency=medium
 .
   * Team upload
 .
   [ gregor herrmann ]
   * Remove Jonathan Yu from Uploaders. Thanks for your work!
 .
   [ Florian Schlichting ]
   * Add fix for CVE-2012-6687 in bundled libfcgi (closes: #815840)
Checksums-Sha1:
 0a182838c333a9db61d903f011aaf24f54f7a359 2029 libfcgi-perl_0.78-2.dsc
 c4fffc18d32fbb614d0320b2e8a3429d41c5349c 6088 libfcgi-perl_0.78-2.debian.tar.xz
 93885b7177040e287cd7040a1afb9990a33f851e 73326 
libfcgi-perl-dbgsym_0.78-2_amd64.deb
 03f04a861a45f08268344a8c9a5b91bb1b4e64ff 38218 libfcgi-perl_0.78-2_amd64.deb
Checksums-Sha256:
 2cbbb8bf6e65e489927c8aef45394fb1d6822b0395831dce0c37787b13824a2f 2029 
libfcgi-perl_0.78-2.dsc
 8b4f70e8fff3eba1e90ec219cb8794ae94440b27f0cbdab7d4c8ba29e6b4d65c 6088 
libfcgi-perl_0.78-2.debian.tar.xz
 b558983c9cc82a426f0ddc8ed67f4963450a3865a765abad7b0f4c1720d6b571 73326 
libfcgi-perl-dbgsym_0.78-2_amd64.deb
 2536951c1ac548a2a57cc04a86bf6108b4790c27789a280e5e2cf451278ae494 38218 
libfcgi-perl_0.78-2_amd64.deb
Files:
 10e0b63140cc1203667043249cc78b0c 2029 perl optional libfcgi-perl_0.78-2.dsc
 51289c5fcfdd3b7e16e6c45303172728 6088 perl optional 
libfcgi-perl_0.78-2.debian.tar.xz
 e78750f840367c0c03ff35c58638629f 73326 debug extra 
libfcgi-perl-dbgsym_0.78-2_amd64.deb
 f5b049d55b700c0de9786174038d8dea 38218 perl optional 
libfcgi-perl_0.78-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYA4WvAAoJEBKXO25y3Ae14poP/1lUS0Jza4ASLSp4tI3pRWgN
Va1V/Obz8VlvyYWnnAUmaH8Wclgp4oUwv8K+ycZa4P/MIJdclV9diIGC/Jqe1InZ
sO7Oj0pGLwPNeUC7RUwDoibzf9G0g78lO79KkzZKySgHwAVopQrEYw09qE/RcvXu
+FRP8kusoX0oD+uOjSJ6PWi1eiI2NFuW25gp9nX3Mwrez+usflaJMEHsSWqagcHr
PjJJ7SActp2GBeuFDDXSQbQU46IdXLge1S/jgPZyEq7CHjuszw04gUrXoZ7QJVj5
foji+cqporuEGiFQ2MEz5WdMePVG0HaWzSqL65I11tSWFJYd2krnMa9xRRGX+Sz8
O0ZTjAbptIBf5HGA0aPu8wRch0i93Gc5ByTGLo/yEEN5UI+Cx4uU/7glhuJwNHSn
TkWrbFoVHUN2iEOxD5QaiiWnXGbknWXhTaoTuj4E0zMXZU22tLwYEFYRNFowp1d5
7rVyRrL+Dx5KTmHiyX9J00MUf1on6b3i7xpiooQ3Z/alqH1ZGdQBOTZ8F6cbphEV
j6t/TqqlhlNIAsYzmgpBGkmHvwljBykKw1BRBSdf2IiRR5ppAnBjWp8ycaibr7Xs
YDIKsXaBSAwkapKxX+0rf3sdFUn9DRFCGNU9zd2GjLLJKT2ToxMs8jDdz//nlXGi
HJtZXjhQCnNoWgzQaFlx
=UhJK
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to