Your message dated Sun, 13 Jan 2013 19:18:08 +0000
with message-id <e1tut4k-0007oz...@franck.debian.org>
and subject line Bug#695224: fixed in perl 5.16.2-2
has caused the Debian Bug report #695224,
regarding perl-modules: Locale::Maketext code injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
695224: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: perl-modules
Severity: important
Version: 5.14.2-15
----- Forwarded message from Ricardo Signes <perl....@rjbs.manxome.org> -----
Date: Wed, 5 Dec 2012 10:51:47 -0500
From: Ricardo Signes <perl....@rjbs.manxome.org>
To: perl5-port...@perl.org
Subject: security notice: Locale::Maketext
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
RCVD_IN_DNSWL_HI,SPF_PASS,T_DKIM_INVALID autolearn=ham version=3.3.1
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2
Locale::Maketext is a core l10n library that expands templates found in
strings.
Two problems were found, reported, and patched-for by Brian Carlson of cPanel,
and these fixes are now in blead and on the CPAN.
The commit in question is
http://perl5.git.perl.org/perl.git/commit/1735f6f53ca19f99c6e9e39496c486af323ba6a8
The flaws are:
* in a [method,x,y,z] template, the method could be a fully-qualified name
* template expansion did not properly quote metacharacters, allowing
code injection through a malicious template
Please upgrade your Locale::Maketext, especially if you allow user-provided
templates.
--
rjbs
----- End forwarded message -----
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.16.2-2
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 695...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 13 Jan 2013 17:54:46 +0000
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug libperl5.16
libperl-dev perl
Architecture: source all i386
Version: 5.16.2-2
Distribution: experimental
Urgency: low
Maintainer: Niko Tyni <nt...@debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Description:
libcgi-fast-perl - CGI::Fast Perl module
libperl-dev - Perl library: development files
libperl5.16 - shared Perl library
perl - Larry Wall's Practical Extraction and Report Language
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl-modules - Core Perl modules
Closes: 688842 689713 693420 695223 695224
Changes:
perl (5.16.2-2) experimental; urgency=low
.
[ Dominic Hargreaves ]
* Merge 5.14.2-15 and 5.14.2-16 from unstable
+ [SECURITY] CVE-2012-5526: CGI.pm improper cookie and p3p
CRLF escaping (Closes: #693420)
+ [SECURITY] Fix misparsing of maketext strings which could allow
arbitrary code execution from untrusted maketext templates
(Closes: #695224)
+ [SECURITY] add warning to Storable documentation that Storable
documents should not be accepted from untrusted sources
(Closes: #695223)
+ Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent
is writable. (Closes: #688842)
+ Don't overwrite $Config{lddlflags} or ccdlflags on GNU/kFreeBSD.
(Closes: #689713)
.
[ Niko Tyni ]
* Minor packaging improvements:
+ present Debian bugs consistently in patchlevel.h.
+ use gzip -n for reproducible results
+ support comments in file lists
+ fix a syntax error in debian/copyright
+ support the '**' notation in file lists for matching subdirectories
Checksums-Sha1:
e4b3e06d1e64437fb251538373ce56d7bff93194 1717 perl_5.16.2-2.dsc
45f4a41b579794e8b80a1e94c04c3090ee78acfd 126313 perl_5.16.2-2.debian.tar.gz
f35a52639ed1641b92a5ba705aa4600d76d49645 75194
libcgi-fast-perl_5.16.2-2_all.deb
7ba4b0b01b1a73ac34a6b377426cd2d47513350d 7898372 perl-doc_5.16.2-2_all.deb
2c77b400b64b97cf66ccde1d45e7766e871221d6 3835664 perl-modules_5.16.2-2_all.deb
d7103219422b1fd00fe5e9bb1a116fa0fe400944 1528168 perl-base_5.16.2-2_i386.deb
58c306ced8704bca475d42b883b50b3dcb785ec0 9258256 perl-debug_5.16.2-2_i386.deb
563b5d8be96f2d20299bef88a3a4bc4eabd9e59c 763060 libperl5.16_5.16.2-2_i386.deb
113248711a8e9620b5f25100c28d77ef0b480059 3161862 libperl-dev_5.16.2-2_i386.deb
8b970007af831d53a2aa77b1356ff4cc9b60cb9e 3706428 perl_5.16.2-2_i386.deb
Checksums-Sha256:
55afde9c3091207071421a53744b81c066a2287db98deddd25514b4a73cca02a 1717
perl_5.16.2-2.dsc
b7052be9875eb7180e4935ec478f9b34b3043211f9842ed594bd4a7996a13b6f 126313
perl_5.16.2-2.debian.tar.gz
b8ee8db139ec16c4fcc67cdbe2d3931225224c2acebade4ba89f5ce23a32feca 75194
libcgi-fast-perl_5.16.2-2_all.deb
71b36fe06badd80707b3623904b179aed752d08a914eac05c8c73ee88e18de86 7898372
perl-doc_5.16.2-2_all.deb
495497985add85a5f51f924c6eb5d0bbc4b4352218c0814a70d89f6b1b3cbc55 3835664
perl-modules_5.16.2-2_all.deb
ebc48a7dd8dd5a8dd4fe42b4f8f597c6a8ea939d9e7b15fad6c3a837dcbae8f3 1528168
perl-base_5.16.2-2_i386.deb
a17741bcbb0cb6a586e22b74487b8d886aac5a0b9ef2aef6df9d9e63ceae8820 9258256
perl-debug_5.16.2-2_i386.deb
9966dc497dcdb3dc2c7e8aacf7f5b65548a909eafdcdde1fdeafd58809b74daf 763060
libperl5.16_5.16.2-2_i386.deb
c263ab4261dd1f1514e328fc16abae37b7951f3bfef311b56ec417dfc91c4275 3161862
libperl-dev_5.16.2-2_i386.deb
8e25964f99ec08512c682f0f3f06401cb617b9d0a994f79bb20e5f693c6f0337 3706428
perl_5.16.2-2_i386.deb
Files:
33b5ad74e6fab2c4a8048c821ba87de6 1717 perl standard perl_5.16.2-2.dsc
1bf8cb9d8cebb7302c330f750e7de87f 126313 perl standard
perl_5.16.2-2.debian.tar.gz
f83d7d77d4011929ae765f34fba0060c 75194 perl optional
libcgi-fast-perl_5.16.2-2_all.deb
99bd3f331445798becb7d07981b50117 7898372 doc optional perl-doc_5.16.2-2_all.deb
52ef6739bd98877650e8c16267e845d1 3835664 perl standard
perl-modules_5.16.2-2_all.deb
33b977277351659b21de478f7cf80800 1528168 perl required
perl-base_5.16.2-2_i386.deb
26b38fd30eeaf7020a5117d7114576ff 9258256 debug extra
perl-debug_5.16.2-2_i386.deb
e889ff8cdf2a85328b36c510ea2b24af 763060 libs optional
libperl5.16_5.16.2-2_i386.deb
c9939918766edb19c3d45fc17bdbf0d3 3161862 libdevel optional
libperl-dev_5.16.2-2_i386.deb
78742ae86a9ad452e98db4f6780fb215 3706428 perl standard perl_5.16.2-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFQ8wPAYzuFKFF44qURAu9iAKCo9QnWpOhrwPapXNfgxyK4O64FCACfcsSa
wbHqMCIRl4SVYv6sDpSIo8k=
=pe2l
-----END PGP SIGNATURE-----
--- End Message ---
