Package: libcgi-application-perl Version: 4.31-1 Severity: grave Tags: security upstream patch Justification: user security hole
An API change indroduced in 2008 alrealy (commit 61d327646f01fe) may cause unexpected and unwanted data dumps of a complete set of web query data and environment to the public. Developers of web apps written before the change are probably unaware of the problem since the general behaviour does change only in the case of a software error. The issue has already been reported here: https://rt.cpan.org/Ticket/Display.html?id=84403 A patch has already been suggested here: https://rt.cpan.org/Ticket/Display.html?id=84403 IMHO you should consider a security backport of the patch for all affected package versions. -- System Information: Debian Release: 6.0.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/24 CPU cores) Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/dash Versions of packages libcgi-application-perl depends on: ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction ii perl-modules 5.10.1-17squeeze3 Core Perl modules libcgi-application-perl recommends no packages. Versions of packages libcgi-application-perl suggests: ii libhtml-template-perl 2.9-2 module for using HTML Templates wi -- no debconf information _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
