OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 06-Aug-2003 17:52:44
Branch: HEAD Handle: 2003080616524400
Modified files:
openpkg-web/security 00README OpenPKG-SA-2003.036-perl-www.txt page.pl
Log:
finalize perl-www SA
Summary:
Revision Changes Path
1.9 +1 -1 openpkg-web/security/00README
1.2 +20 -9 openpkg-web/security/OpenPKG-SA-2003.036-perl-www.txt
1.22 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/00README
============================================================================
$ cvs diff -u -r1.8 -r1.9 00README
--- openpkg-web/security/00README 6 Aug 2003 13:37:34 -0000 1.8
+++ openpkg-web/security/00README 6 Aug 2003 15:52:44 -0000 1.9
@@ -3,7 +3,7 @@
$ mv OpenPKG-SA-2003.00x-xxx.txt.asc OpenPKG-SA-2003.00x-xxx.txt
$ gpg --verify OpenPKG-SA-2003.00x-xxx.txt
$ mutt [EMAIL PROTECTED]
- Subject: [OpenPKG-SA-2003.034] OpenPKG Security Advisory (imagemagick)
+ Subject: [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh)
Approved: OPENPKG
$ mutt [EMAIL PROTECTED]
Subject: [OpenPKG-SA-2003.00x] OpenPKG Security Advisory (xxx)
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.036-perl-www.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.036-perl-www.txt
--- openpkg-web/security/OpenPKG-SA-2003.036-perl-www.txt 6 Aug 2003 15:26:43
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2003.036-perl-www.txt 6 Aug 2003 15:52:44
-0000 1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -6,8 +9,8 @@
OpenPKG-SA-2003.perl-www 06-Aug-2003
________________________________________________________________________
-Package: perl-www
-Vulnerability: CGI.pm cross site scripting
+Package: perl-www (CGI.pm)
+Vulnerability: cross site scripting
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
@@ -20,25 +23,26 @@
Description:
According to a security advisory [0] from [EMAIL PROTECTED] a
cross site scripting vulnerability exists in the start_form() function
- in CGI.pm [1]. The Common Vulnerabilities and Exposures (CVE) project
- assigned the id CAN-2003-0615 [2] to the problem.
+ from CGI.pm [1]. The Common Vulnerabilities and Exposures (CVE)
+ project assigned the id CAN-2003-0615 [2] to the problem.
Note that beginning with perl-www-20030609-20030609 and
- perl-www-1.3.0-1.3.0 a preliminary patch was already included which
- fixes the specific issue discussed in the original SA. The corrected
- packages include a more generalized patch.
+ perl-www-1.3.0-1.3.0 a preliminary vendor patch was already included
+ which fixes the specific issue discussed in the original advisory. Our
+ corrected packages now include the more generalized patch the author
+ uses in his latest version.
Please check whether you are affected by running "<prefix>/bin/rpm
-q perl-www". If you have the "perl-www" package installed and its
version is affected (see above), we recommend that you immediately
- upgrade it (see Solution).
+ upgrade it (see Solution). [3][4]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
location, verify its integrity [9], build a corresponding binary RPM
from it [3] and update your OpenPKG installation by applying the
- binary RPM [4]. For the current release OpenPKG 1.2, perform the
+ binary RPM [4]. For the current release OpenPKG 1.3, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
@@ -73,3 +77,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/MSQugHWT4GPEy58RAg8kAKDgc5NmCQwakcFYgvPSq6UmZ+YS4QCg0/Nw
+HT1320vVAJLYvDezyPDxmxY=
+=D7Pf
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.21 -r1.22 page.pl
--- openpkg-web/security/page.pl 6 Aug 2003 15:26:43 -0000 1.21
+++ openpkg-web/security/page.pl 6 Aug 2003 15:52:44 -0000 1.22
@@ -13,7 +13,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name, $year) = ($sa =~ m|^(OpenPKG-SA-((\d+)\..+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.03[7-9]|);
+ next if ($name =~ m|^2003\.03[8-9]|);
if ($this_year ne $year) {
$sidebar .= "<br>\n";
$this_year = $year;
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
