Bug#702821: libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks t/perl/hash_attack.t
On Tue, Mar 12, 2013 at 01:07:37PM +0100, Thijs Kinkhorst wrote: On Mon, March 11, 2013 21:47, Niko Tyni wrote: Cc'ing the security team. Once we have a fix, I suppose we'll need to fix libapache2-mod-perl2 via stable-security? Yes please. Hi security team, Forgot to include you in my last update, but: there is a working fix now in git http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=shortlog;h=refs/heads/squeeze You can see some dialogue about the correctness of the patches in the bug log. May I upload this to squeeze-security? Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks t/perl/hash_attack.t
On Mon, March 11, 2013 21:47, Niko Tyni wrote: Cc'ing the security team. Once we have a fix, I suppose we'll need to fix libapache2-mod-perl2 via stable-security? Yes please. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: libapache2-mod-perl2: FTBFS: the CVE-2013-1667 fix breaks t/perl/hash_attack.t
Package: libapache2-mod-perl2 Version: 2.0.7-2 Severity: serious Control: found -1 2.0.4-7 X-Debbugs-Cc: t...@security.debian.org, p...@packages.debian.org As noted on the modperl users list in http://mail-archives.apache.org/mod_mbox/perl-modperl/201303.mbox/%3C67B2BB40A61BE846B65EF4793B863D6C610AF5@ukmail02.planit.group%3E the perl fix for CVE-2013-1667 (rehashing flaw) makes t/perl/hash_attack.t in libapache2-mod-perl2 fail, so the latter package now fails to build from source. Verified on both squeeze and sid/wheezy. t/perl/api.t ok request has failed (the response code was: 500) see t/logs/error_log for more details t/perl/hash_attack.t Dubious, test returned 255 (wstat 65280, 0xff00) Failed 1/1 subtests [...] Result: FAIL Failed 1/242 test programs. 0/3534 subtests failed. No patch yet, but according to Steve Hay in the above message there is one floating around: I have seen a patch for it on the perl5-security list, and will hopefully apply it soon. so it's probably best to wait a moment before disabling the test. FWIW the SVN repository is at svn co https://svn.apache.org/repos/asf/perl/modperl/trunk and can be browsed at http://svn.apache.org/viewvc/perl/modperl/trunk/ Cc'ing the security team. Once we have a fix, I suppose we'll need to fix libapache2-mod-perl2 via stable-security? -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org