OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 16-Sep-2003 12:18:55
Branch: HEAD Handle: 2003091611185400
Modified files:
openpkg-web/security 00README OpenPKG-SA-2003.039-perl.txt page.pl
Log:
flush pending changes
Summary:
Revision Changes Path
1.11 +2 -2 openpkg-web/security/00README
1.2 +32 -21 openpkg-web/security/OpenPKG-SA-2003.039-perl.txt
1.24 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/00README
============================================================================
$ cvs diff -u -r1.10 -r1.11 00README
--- openpkg-web/security/00README 6 Aug 2003 15:54:34 -0000 1.10
+++ openpkg-web/security/00README 16 Sep 2003 10:18:54 -0000 1.11
@@ -3,8 +3,8 @@
$ mv OpenPKG-SA-2003.00x-xxx.txt.asc OpenPKG-SA-2003.00x-xxx.txt
$ gpg --verify OpenPKG-SA-2003.00x-xxx.txt
$ mutt [EMAIL PROTECTED]
- Subject: [OpenPKG-SA-2003.036] OpenPKG Security Advisory (perl-www)
+ Subject: [OpenPKG-SA-2003.039] OpenPKG Security Advisory (perl)
Approved: OPENPKG
$ mutt [EMAIL PROTECTED]
- Subject: [OpenPKG-SA-2003.00x] OpenPKG Security Advisory (xxx)
+$ mutt [EMAIL PROTECTED]
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.039-perl.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.039-perl.txt
--- openpkg-web/security/OpenPKG-SA-2003.039-perl.txt 15 Sep 2003 13:27:23 -0000
1.1
+++ openpkg-web/security/OpenPKG-SA-2003.039-perl.txt 16 Sep 2003 10:18:54 -0000
1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -8,9 +11,9 @@
Package: perl (CGI.pm)
Vulnerability: cross site scripting
-OpenPKG Specific: no
+OpenPKG Specific: yes
-Affected Releases: Affected Packages: Corrected Packages:
+Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= perl-5.8.0-20030903 >= perl-5.8.0-20030915
OpenPKG 1.3 <= perl-5.8.0-1.3.0 >= perl-5.8.0-1.3.1
OpenPKG 1.2 <= perl-5.8.0-1.2.0 >= perl-5.8.0-1.2.1
@@ -21,28 +24,28 @@
This message is a continuation of OpenPKG-SA-2003.036-perl-www [0].
The Common Vulnerabilities and Exposures (CVE) project assigned the
id CAN-2003-0615 [1] to the problem described. This document also
- outlines a important problematic regarding the native load order of
- perl modules.
-
- The CGI.pm module not only comes with the "perl-www" package but a
- ancient version 2.81 is also embedded into "perl". The corrected
- packages mentioned above have the official fix backported to the
- embedded version.
+ outlines an important problematic regarding the native load order of
+ Perl modules.
+
+ The CGI.pm module not only comes with the "perl-www" package but an
+ ancient version 2.81 is also embedded into the "perl" package. The
+ corrected packages mentioned above have the official fix backported to
+ the embedded version.
Be aware that all releases of OpenPKG up to and including 1.3 use
- Perl's native load order of modules. Embedded modules are preferred
- over additional modules. This means that CGI.pm embedded into the
- "perl" package is loaded before the sibling from the additional
- "perl-www" package is found. This inhibits the use and correction of
- additional modules with same name as embedded ones.
+ Perl's native load order for modules where embedded modules are
+ preferred over additional modules. This means that the CGI.pm
+ embedded into the "perl" package is loaded before the sibling from
+ the additional "perl-www" package is found. This inhibits the use and
+ correction of additional modules with same name as embedded ones.
It should be noted that beginning with perl-5.8.0-20030903 the load
- order is patched to prefer additional modules [2]. There are no plans
- modifiying the module load order of the "perl" package in existing
- releases. Although more intuitive it would change existing behaviour
- and is likely to break existing installations. During the support
- lifecycle security advisories and corrected packages will be issued
- for both, embedded and additional packages.
+ order is adjusted to prefer additional modules over embedded ones [2].
+ There are no plans modifiying the module load order of the "perl"
+ package in existing releases. Although more intuitive, it would change
+ existing behaviour and is likely to break existing installations.
+ During the support lifecycle, security advisories and corrected
+ packages will be issued for both embedded and additional packages.
Please check whether you are affected by running "<prefix>/bin/rpm -q
perl". If you have the "perl" package installed and its version is
@@ -87,4 +90,12 @@
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
-_________________________
+________________________________________________________________________
+
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/ZdREgHWT4GPEy58RAkkGAKCRUtKz9JKDcvN/arW5+jrL+0UqIgCgw7U9
+98GlCzZqIAZilnkwX39/jNs=
+=Sb5R
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.23 -r1.24 page.pl
--- openpkg-web/security/page.pl 15 Sep 2003 11:49:29 -0000 1.23
+++ openpkg-web/security/page.pl 16 Sep 2003 10:18:54 -0000 1.24
@@ -13,7 +13,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name, $year) = ($sa =~ m|^(OpenPKG-SA-((\d+)\..+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.03[9-9]|);
+ next if ($name =~ m|^2003\.04[0-9]|);
if ($this_year ne $year) {
$sidebar .= "<br>\n";
$this_year = $year;
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
