This is an automated email from the git hooks/post-receive script. carnil pushed a commit to branch wheezy in repository libmodule-signature-perl.
commit cb1682912b5449ba00f200a855bf3c93f8604864 Author: Salvatore Bonaccorso <car...@debian.org> Date: Thu May 14 17:36:08 2015 +0200 Prepare changelog for release to wheezy-security Git-Dch: Ignore --- debian/changelog | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/debian/changelog b/debian/changelog index 3d354ac..5b7fc83 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,28 @@ +libmodule-signature-perl (0.68-1+deb7u2) wheezy-security; urgency=high + + * Team upload. + * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch. + CVE-2015-3406: Module::Signature parses the unsigned portion of the + SIGNATURE file as the signed portion due to incorrect handling of PGP + signature boundaries. + CVE-2015-3407: Module::Signature incorrectly handles files that are not + listed in the SIGNATURE file. This includes some files in the t/ + directory that would execute when tests are run. + CVE-2015-3408: Module::Signature uses two argument open() calls to read + the files when generating checksums from the signed manifest, allowing + to embed arbitrary shell commands into the SIGNATURE file that would + execute during the signature verification process. (Closes: #783451) + * Add CVE-2015-3409.patch patch. + CVE-2015-3409: Module::Signature incorrectly handles module loading + allowing to load modules from relative paths in @INC. A remote attacker + providing a malicious module could use this issue to execute arbitrary + code during signature verification. (Closes: #783451) + * Add Fix-signature-tests.patch patch. + Fix signature tests by defaulting to verify(skip=>1) when + $ENV{TEST_SIGNATURE} is true. + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 14 May 2015 17:35:32 +0200 + libmodule-signature-perl (0.68-1+deb7u1) wheezy; urgency=low * Team upload. -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits