Debian Bug report logs - #631529
Missing fix for CVE-2010-1447

version graph

Package: perl; Maintainer for perl is Niko Tyni <ntyni@debian.org>; Source for perl is src:perl.

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Fri, 24 Jun 2011 16:57:03 UTC

Severity: grave

Tags: security

Found in versions perl/5.10.1-17squeeze1, 5.10.0-19lenny4

Fixed in versions 5.10.1-17squeeze2, 5.10.0-19lenny5, perl/5.12.3-7

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#631529; Package perl. (Fri, 24 Jun 2011 16:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Niko Tyni <ntyni@debian.org>. (Fri, 24 Jun 2011 16:57:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Missing fix for CVE-2010-1447
Date: Fri, 24 Jun 2011 18:56:40 +0200
[Message part 1 (text/plain, inline)]
Package: perl
Severity: grave
Tags: security

Hi Perl maintainers,
it turns out that CVE-2010-1447 is still missing in Lenny and
Squeeze. It was originally attributed to Postgres, but it
was later found out that Perl is affected as well.

The attached patch is still needed in both Lenny and Squeeze.

Cheers,
        Moritz
[CVE-2010-1447.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#631529; Package perl. (Sat, 25 Jun 2011 11:58:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Sat, 25 Jun 2011 11:58:24 GMT) Full text and rfc822 format available.

Message #10 received at 631529@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 631529@bugs.debian.org
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Sat, 25 Jun 2011 12:09:03 +0100
On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote:
> Package: perl
> Severity: grave
> Tags: security
> 
> Hi Perl maintainers,
> it turns out that CVE-2010-1447 is still missing in Lenny and
> Squeeze. It was originally attributed to Postgres, but it
> was later found out that Perl is affected as well.
> 
> The attached patch is still needed in both Lenny and Squeeze.

Thanks for pointing this out. I'll verify the patch and prepare packages;
do you want them uploaded to security-master ASAP?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Bug Marked as fixed in versions perl/5.12.3-7. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sat, 25 Jun 2011 15:27:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions perl/5.10.1-17squeeze1. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sat, 25 Jun 2011 15:27:06 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 5.10.0-19lenny4. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sat, 25 Jun 2011 15:27:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#631529; Package perl. (Sun, 26 Jun 2011 05:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Sun, 26 Jun 2011 05:51:03 GMT) Full text and rfc822 format available.

Message #21 received at 631529@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Dominic Hargreaves <dom@earth.li>, 631529@bugs.debian.org
Cc: Moritz Muehlenhoff <muehlenhoff@univention.de>
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Sun, 26 Jun 2011 08:49:12 +0300
On Sat, Jun 25, 2011 at 12:09:03PM +0100, Dominic Hargreaves wrote:
> On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote:
> > Package: perl
> > Severity: grave
> > Tags: security
> > 
> > Hi Perl maintainers,
> > it turns out that CVE-2010-1447 is still missing in Lenny and
> > Squeeze. It was originally attributed to Postgres, but it
> > was later found out that Perl is affected as well.
> > 
> > The attached patch is still needed in both Lenny and Squeeze.
> 
> Thanks for pointing this out. I'll verify the patch and prepare packages;
> do you want them uploaded to security-master ASAP?

Please note that this is probably going to break libpetal-perl and no
fix is available. See #582805.
-- 
Niko Tyni   ntyni@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#631529; Package perl. (Mon, 27 Jun 2011 17:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 27 Jun 2011 17:03:06 GMT) Full text and rfc822 format available.

Message #26 received at 631529@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Niko Tyni <ntyni@debian.org>
Cc: Dominic Hargreaves <dom@earth.li>, 631529@bugs.debian.org, Moritz Muehlenhoff <muehlenhoff@univention.de>
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Mon, 27 Jun 2011 19:01:24 +0200
On Sun, Jun 26, 2011 at 08:49:12AM +0300, Niko Tyni wrote:
> On Sat, Jun 25, 2011 at 12:09:03PM +0100, Dominic Hargreaves wrote:
> > On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote:
> > > Package: perl
> > > Severity: grave
> > > Tags: security
> > > 
> > > Hi Perl maintainers,
> > > it turns out that CVE-2010-1447 is still missing in Lenny and
> > > Squeeze. It was originally attributed to Postgres, but it
> > > was later found out that Perl is affected as well.
> > > 
> > > The attached patch is still needed in both Lenny and Squeeze.
> > 
> > Thanks for pointing this out. I'll verify the patch and prepare packages;
> > do you want them uploaded to security-master ASAP?
> 
> Please note that this is probably going to break libpetal-perl and no
> fix is available. See #582805.

But this software must've already been broken with the initial Safe.pm fix for
Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#631529; Package perl. (Mon, 27 Jun 2011 21:28:46 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Mon, 27 Jun 2011 21:28:47 GMT) Full text and rfc822 format available.

Message #31 received at 631529@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Mühlenhoff <jmm@inutil.org>, 631529@bugs.debian.org
Cc: Niko Tyni <ntyni@debian.org>, Moritz Muehlenhoff <muehlenhoff@univention.de>
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Mon, 27 Jun 2011 22:27:31 +0100
On Mon, Jun 27, 2011 at 07:01:24PM +0200, Moritz Mühlenhoff wrote:
> On Sun, Jun 26, 2011 at 08:49:12AM +0300, Niko Tyni wrote:
> > On Sat, Jun 25, 2011 at 12:09:03PM +0100, Dominic Hargreaves wrote:
> > > On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: perl
> > > > Severity: grave
> > > > Tags: security
> > > > 
> > > > Hi Perl maintainers,
> > > > it turns out that CVE-2010-1447 is still missing in Lenny and
> > > > Squeeze. It was originally attributed to Postgres, but it
> > > > was later found out that Perl is affected as well.
> > > > 
> > > > The attached patch is still needed in both Lenny and Squeeze.
> > > 
> > > Thanks for pointing this out. I'll verify the patch and prepare packages;
> > > do you want them uploaded to security-master ASAP?
> > 
> > Please note that this is probably going to break libpetal-perl and no
> > fix is available. See #582805.
> 
> But this software must've already been broken with the initial Safe.pm fix for
> Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)

I don't think so, no. libpetal-perl builds okay for me on squeeze.
The referenced bug mentions the change in 2.27:

    - Wrap coderefs returned by reval() and rdo()

(the change we're applying in this bug).

I think the opinion of the perl maintainers is that we shouldn't worry
about that package too much, but I guess that's a call for the security
team.

squeeze packages fixing this bug are ready to upload; lenny packages 
need a little more work to get the tests passing again.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#631529; Package perl. (Tue, 28 Jun 2011 11:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Tue, 28 Jun 2011 11:30:08 GMT) Full text and rfc822 format available.

Message #36 received at 631529@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>, 631529@bugs.debian.org
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Tue, 28 Jun 2011 14:26:27 +0300
On Mon, Jun 27, 2011 at 07:01:24PM +0200, Moritz Mühlenhoff wrote:
> On Sun, Jun 26, 2011 at 08:49:12AM +0300, Niko Tyni wrote:
> > On Sat, Jun 25, 2011 at 12:09:03PM +0100, Dominic Hargreaves wrote:
> > > On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: perl
> > > > Severity: grave
> > > > Tags: security
> > > > 
> > > > Hi Perl maintainers,
> > > > it turns out that CVE-2010-1447 is still missing in Lenny and
> > > > Squeeze. It was originally attributed to Postgres, but it
> > > > was later found out that Perl is affected as well.
> > > > 
> > > > The attached patch is still needed in both Lenny and Squeeze.
> > > 
> > > Thanks for pointing this out. I'll verify the patch and prepare packages;
> > > do you want them uploaded to security-master ASAP?
> > 
> > Please note that this is probably going to break libpetal-perl and no
> > fix is available. See #582805.
> 
> But this software must've already been broken with the initial Safe.pm fix for
> Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)

No, it's really this fix for CVE-2010-1447 that breaks it.

I've verified on both Lenny and Squeeze that libpetal-perl_2.19-1
builds fine without CVE-2010-1447.patch, but applying the patch
manually to /usr/lib/perl/5.10/Safe.pm (or, in the squeeze case,
/usr/share/perl/5.10/Safe.pm) makes the libpetal-perl test suite crash
and burn.

I see I left the CVE-2010-1168 update at Safe-2.25 precisely because of
this; quoting myself in #582978:

  Upstream is now at 2.27, which has further related changes and was also
  bundled with Perl 5.12.1. However, it causes regressions in (at least)
  libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
  two regressions don't happen with 2.25. 

See also my mail to team@security.debian.org in January 2011 with
CVE-2010-1168 in the subject and
 Message-ID: <20110114185338.GA25109@madeleine.local.invalid>


Fortunately libtext-micromason-perl isn't a problem in this context:
  - it's not in Lenny at all 
  - the Squeeze package got fixed in time, and I've verified the it still
    builds with CVE-2010-1447.patch

-- 
Niko Tyni   ntyni@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#631529; Package perl. (Tue, 28 Jun 2011 16:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 28 Jun 2011 16:33:03 GMT) Full text and rfc822 format available.

Message #41 received at 631529@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Niko Tyni <ntyni@debian.org>
Cc: 631529@bugs.debian.org
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Tue, 28 Jun 2011 18:28:52 +0200
On Tue, Jun 28, 2011 at 02:26:27PM +0300, Niko Tyni wrote:
> > But this software must've already been broken with the initial Safe.pm fix for
> > Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)
> 
> No, it's really this fix for CVE-2010-1447 that breaks it.
> 
> I've verified on both Lenny and Squeeze that libpetal-perl_2.19-1
> builds fine without CVE-2010-1447.patch, but applying the patch
> manually to /usr/lib/perl/5.10/Safe.pm (or, in the squeeze case,
> /usr/share/perl/5.10/Safe.pm) makes the libpetal-perl test suite crash
> and burn.
> 
> I see I left the CVE-2010-1168 update at Safe-2.25 precisely because of
> this; quoting myself in #582978:
> 
>   Upstream is now at 2.27, which has further related changes and was also
>   bundled with Perl 5.12.1. However, it causes regressions in (at least)
>   libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
>   two regressions don't happen with 2.25. 
> 
> See also my mail to team@security.debian.org in January 2011 with
> CVE-2010-1168 in the subject and
>  Message-ID: <20110114185338.GA25109@madeleine.local.invalid>
> 
> 
> Fortunately libtext-micromason-perl isn't a problem in this context:
>   - it's not in Lenny at all 
>   - the Squeeze package got fixed in time, and I've verified the it still
>     builds with CVE-2010-1447.patch

Ahh, I forgot that mail. Personally I would think the perl update is
more important than Petal, which is dead upstream and has hardly
any users in popcon. We can add a note to the DSA, so that people
who really need it can set the old Perl package on hold. If there's
no fix for Petal in the next months it can be removed in a point
update.

Dominic, Niko, do you agree? I would leave the decision to the Perl
maintainers.

Cheers,
        Moritz








Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#631529; Package perl. (Tue, 28 Jun 2011 20:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Tue, 28 Jun 2011 20:57:03 GMT) Full text and rfc822 format available.

Message #46 received at 631529@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Muehlenhoff <jmm@inutil.org>, 631529@bugs.debian.org
Cc: Niko Tyni <ntyni@debian.org>, pkg-perl-maintainers@lists.alioth.debian.org
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Tue, 28 Jun 2011 21:55:26 +0100
On Tue, Jun 28, 2011 at 06:28:52PM +0200, Moritz Muehlenhoff wrote:
> On Tue, Jun 28, 2011 at 02:26:27PM +0300, Niko Tyni wrote:
> > > But this software must've already been broken with the initial Safe.pm fix for
> > > Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)
> > 
> > No, it's really this fix for CVE-2010-1447 that breaks it.
> > 
> > I've verified on both Lenny and Squeeze that libpetal-perl_2.19-1
> > builds fine without CVE-2010-1447.patch, but applying the patch
> > manually to /usr/lib/perl/5.10/Safe.pm (or, in the squeeze case,
> > /usr/share/perl/5.10/Safe.pm) makes the libpetal-perl test suite crash
> > and burn.
> > 
> > I see I left the CVE-2010-1168 update at Safe-2.25 precisely because of
> > this; quoting myself in #582978:
> > 
> >   Upstream is now at 2.27, which has further related changes and was also
> >   bundled with Perl 5.12.1. However, it causes regressions in (at least)
> >   libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
> >   two regressions don't happen with 2.25. 
> > 
> > See also my mail to team@security.debian.org in January 2011 with
> > CVE-2010-1168 in the subject and
> >  Message-ID: <20110114185338.GA25109@madeleine.local.invalid>
> > 
> > 
> > Fortunately libtext-micromason-perl isn't a problem in this context:
> >   - it's not in Lenny at all 
> >   - the Squeeze package got fixed in time, and I've verified the it still
> >     builds with CVE-2010-1447.patch
> 
> Ahh, I forgot that mail. Personally I would think the perl update is
> more important than Petal, which is dead upstream and has hardly
> any users in popcon. We can add a note to the DSA, so that people
> who really need it can set the old Perl package on hold. If there's
> no fix for Petal in the next months it can be removed in a point
> update.
> 
> Dominic, Niko, do you agree? I would leave the decision to the Perl
> maintainers.

I'm happy with this. I'm CCing the Debian perl group in case there
are any additional views there (please see the log at
<http://bugs.debian.org/631529> for the full context.

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#631529; Package perl. (Wed, 29 Jun 2011 11:12:25 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Wed, 29 Jun 2011 11:12:34 GMT) Full text and rfc822 format available.

Message #51 received at 631529@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 631529@bugs.debian.org
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Wed, 29 Jun 2011 14:10:17 +0300
On Tue, Jun 28, 2011 at 06:28:52PM +0200, Moritz Muehlenhoff wrote:

> Ahh, I forgot that mail. Personally I would think the perl update is
> more important than Petal, which is dead upstream and has hardly
> any users in popcon. We can add a note to the DSA, so that people
> who really need it can set the old Perl package on hold. If there's
> no fix for Petal in the next months it can be removed in a point
> update.

Fine by me.
-- 
Niko Tyni   ntyni@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#631529; Package perl. (Wed, 29 Jun 2011 15:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 29 Jun 2011 15:33:03 GMT) Full text and rfc822 format available.

Message #56 received at 631529@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Niko Tyni <ntyni@debian.org>
Cc: 631529@bugs.debian.org
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Wed, 29 Jun 2011 17:30:08 +0200
On Wed, Jun 29, 2011 at 02:10:17PM +0300, Niko Tyni wrote:
> On Tue, Jun 28, 2011 at 06:28:52PM +0200, Moritz Muehlenhoff wrote:
> 
> > Ahh, I forgot that mail. Personally I would think the perl update is
> > more important than Petal, which is dead upstream and has hardly
> > any users in popcon. We can add a note to the DSA, so that people
> > who really need it can set the old Perl package on hold. If there's
> > no fix for Petal in the next months it can be removed in a point
> > update.
> 
> Fine by me.

Ok, seems there's no objections from pkg-perl. Dominic, feel free to
upload to security-master once the update is ready.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#631529; Package perl. (Thu, 30 Jun 2011 21:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Thu, 30 Jun 2011 21:51:03 GMT) Full text and rfc822 format available.

Message #61 received at 631529@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Moritz Muehlenhoff <jmm@inutil.org>, 631529@bugs.debian.org
Cc: Niko Tyni <ntyni@debian.org>
Subject: Re: Bug#631529: Missing fix for CVE-2010-1447
Date: Thu, 30 Jun 2011 22:49:19 +0100
On Wed, Jun 29, 2011 at 05:30:08PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Jun 29, 2011 at 02:10:17PM +0300, Niko Tyni wrote:
> > On Tue, Jun 28, 2011 at 06:28:52PM +0200, Moritz Muehlenhoff wrote:
> > 
> > > Ahh, I forgot that mail. Personally I would think the perl update is
> > > more important than Petal, which is dead upstream and has hardly
> > > any users in popcon. We can add a note to the DSA, so that people
> > > who really need it can set the old Perl package on hold. If there's
> > > no fix for Petal in the next months it can be removed in a point
> > > update.
> > 
> > Fine by me.
> 
> Ok, seems there's no objections from pkg-perl. Dominic, feel free to
> upload to security-master once the update is ready.

Okay, now done for lenny and squeeze.

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Mon, 04 Jul 2011 11:57:55 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Mon, 04 Jul 2011 11:58:01 GMT) Full text and rfc822 format available.

Message #66 received at 631529-done@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 631529-done@bugs.debian.org
Subject: Fixed in lenny and squeeze
Date: Mon, 4 Jul 2011 12:55:42 +0100
Version: 5.10.1-17squeeze2, 5.10.0-19lenny5

Now fixed in stable and oldstable, so closing.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Bug Marked as fixed in versions 5.10.0-19lenny5. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Mon, 04 Jul 2011 13:03:12 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 5.10.1-17squeeze2. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Mon, 04 Jul 2011 13:03:25 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Wed, 20 Jul 2011 20:03:08 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Wed, 20 Jul 2011 20:03:08 GMT) Full text and rfc822 format available.

Message #75 received at 631529-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 631529-close@bugs.debian.org
Subject: Bug#631529: fixed in perl 5.10.1-17squeeze2
Date: Wed, 20 Jul 2011 20:00:17 +0000
Source: perl
Source-Version: 5.10.1-17squeeze2

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive:

libcgi-fast-perl_5.10.1-17squeeze2_all.deb
  to main/p/perl/libcgi-fast-perl_5.10.1-17squeeze2_all.deb
libperl-dev_5.10.1-17squeeze2_i386.deb
  to main/p/perl/libperl-dev_5.10.1-17squeeze2_i386.deb
libperl5.10_5.10.1-17squeeze2_i386.deb
  to main/p/perl/libperl5.10_5.10.1-17squeeze2_i386.deb
perl-base_5.10.1-17squeeze2_i386.deb
  to main/p/perl/perl-base_5.10.1-17squeeze2_i386.deb
perl-debug_5.10.1-17squeeze2_i386.deb
  to main/p/perl/perl-debug_5.10.1-17squeeze2_i386.deb
perl-doc_5.10.1-17squeeze2_all.deb
  to main/p/perl/perl-doc_5.10.1-17squeeze2_all.deb
perl-modules_5.10.1-17squeeze2_all.deb
  to main/p/perl/perl-modules_5.10.1-17squeeze2_all.deb
perl-suid_5.10.1-17squeeze2_i386.deb
  to main/p/perl/perl-suid_5.10.1-17squeeze2_i386.deb
perl_5.10.1-17squeeze2.debian.tar.gz
  to main/p/perl/perl_5.10.1-17squeeze2.debian.tar.gz
perl_5.10.1-17squeeze2.dsc
  to main/p/perl/perl_5.10.1-17squeeze2.dsc
perl_5.10.1-17squeeze2_i386.deb
  to main/p/perl/perl_5.10.1-17squeeze2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631529@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 26 Jun 2011 16:10:22 +0100
Source: perl
Binary: perl-base libcgi-fast-perl perl-doc perl-modules perl-debug perl-suid libperl5.10 libperl-dev perl
Architecture: source all i386
Version: 5.10.1-17squeeze2
Distribution: stable-security
Urgency: low
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libcgi-fast-perl - CGI::Fast Perl module
 libperl-dev - Perl library: development files
 libperl5.10 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules - Core Perl modules
 perl-suid  - runs setuid Perl scripts
Closes: 631529
Changes: 
 perl (5.10.1-17squeeze2) stable-security; urgency=low
 .
   * [SECURITY] CVE-2010-1447: further Safe.pm fixes for breaking out
     of safe compartment using subroutine references (Closes: #631529)
Checksums-Sha1: 
 1e72de11db1e31c1b122349f7151b500dee8e907 1422 perl_5.10.1-17squeeze2.dsc
 7f17a83bda41a24c10d9929f8352f2bad73fa0d3 116450 perl_5.10.1-17squeeze2.debian.tar.gz
 b3bc80ce4ad735c00e6456c009ca6967d8c93a58 52780 libcgi-fast-perl_5.10.1-17squeeze2_all.deb
 bde537d527a58036d60fa3c70e0eb3dfd2df7403 7188450 perl-doc_5.10.1-17squeeze2_all.deb
 de49deadafec8ce5bd6101c59a69e05d1053ba92 3490048 perl-modules_5.10.1-17squeeze2_all.deb
 12489318d45af25785500fe5970402c2be612232 980020 perl-base_5.10.1-17squeeze2_i386.deb
 6261b2e963236032baf458118d04210cd26617c3 6630538 perl-debug_5.10.1-17squeeze2_i386.deb
 8091d4d1848e96fdd6df9fe8c2966acfecf203cb 32812 perl-suid_5.10.1-17squeeze2_i386.deb
 d09ca4d058afd82a0671599923bd2080b584116a 632860 libperl5.10_5.10.1-17squeeze2_i386.deb
 d534b45ce878a7fa6c6b454cf3563a9c2924f193 2344576 libperl-dev_5.10.1-17squeeze2_i386.deb
 e1cda8c4a0816e4a787616d4a3784209a3ea03a3 3779812 perl_5.10.1-17squeeze2_i386.deb
Checksums-Sha256: 
 070034c9393eb83456ad48d966fb0907584538afb48d76a4c99aa62ec5cf7c55 1422 perl_5.10.1-17squeeze2.dsc
 35734672c73fceeb61e2b97d4b28db52b59ebb5267bf2017d62ce416cca92782 116450 perl_5.10.1-17squeeze2.debian.tar.gz
 8f8080f044db3638154229c7a128e74fcad909674b39765059cbe5718fb78054 52780 libcgi-fast-perl_5.10.1-17squeeze2_all.deb
 a2ede571668e0d4ea9693a40c35e557024dab8789163e2d821956b42345fcc9e 7188450 perl-doc_5.10.1-17squeeze2_all.deb
 a02debd5eef6a9c41764b9170837200dd8c266dae5008a3b38a4b9251108f52c 3490048 perl-modules_5.10.1-17squeeze2_all.deb
 56de870961c14dc4afb4bf69c79f3605002bbd275611dec6d3f378105ec8a4c7 980020 perl-base_5.10.1-17squeeze2_i386.deb
 c3c6f3cd7281b3f4e257888a5852aff59dc6bda72e5fae31657abf998c4a115e 6630538 perl-debug_5.10.1-17squeeze2_i386.deb
 c048a8a5152f14e7d46c84b94036a15949f7f0f90462bed80ae0488033bffd3c 32812 perl-suid_5.10.1-17squeeze2_i386.deb
 3e7889cc93fe1851a4d518abee8126b0541e72c8eded0217a90dd6cb7ccde4a5 632860 libperl5.10_5.10.1-17squeeze2_i386.deb
 a2fc52def97f73025b49efdc81acdee2d755163b7da44da7ffb2494eaaad2122 2344576 libperl-dev_5.10.1-17squeeze2_i386.deb
 95d3702c8dfb1ae59a3a53c11df1b28c033efc38eda5c94fc72b63394bd764f6 3779812 perl_5.10.1-17squeeze2_i386.deb
Files: 
 c4eca2ad3d134ceacbf4e3c3c4f0ef10 1422 perl standard perl_5.10.1-17squeeze2.dsc
 5642720990ea6ddbe1766cc05c7b5a10 116450 perl standard perl_5.10.1-17squeeze2.debian.tar.gz
 a37b28b28b9fa72cfaf024148100acc1 52780 perl optional libcgi-fast-perl_5.10.1-17squeeze2_all.deb
 321b5a69524112c3ab049f28bca839b9 7188450 doc optional perl-doc_5.10.1-17squeeze2_all.deb
 1b7085ff3f2e23724fa1efce6924b28b 3490048 perl standard perl-modules_5.10.1-17squeeze2_all.deb
 b3a55d438e975d815f0b7bfaabef9ca4 980020 perl required perl-base_5.10.1-17squeeze2_i386.deb
 b7be7b97992de6c16da61964eaea7af2 6630538 debug extra perl-debug_5.10.1-17squeeze2_i386.deb
 fec9683c52ef33cac947d21e4398bf80 32812 perl optional perl-suid_5.10.1-17squeeze2_i386.deb
 d30d7a0330bd33790c60d402a9ebbfdc 632860 libs optional libperl5.10_5.10.1-17squeeze2_i386.deb
 0814324dd4b1c2e822415cb7139263ca 2344576 libdevel optional libperl-dev_5.10.1-17squeeze2_i386.deb
 059a09702a58e5f679abc1cafaa46ee6 3779812 perl standard perl_5.10.1-17squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFODNhMYzuFKFF44qURAhEAAKCcvVKogBVaOBj1SoWNnBbtoRdD9QCfc9t/
qTnVtSEX8a38Fa0HGTIwvAk=
=appy
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Oct 2011 07:33:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 09:55:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.