Debian Bug report logs - #644147
pu: package libdigest-perl/1.16-1+squeeze1

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Ansgar Burchardt <ansgar@debian.org>

Date: Mon, 3 Oct 2011 10:33:01 UTC

Severity: normal

Tags: confirmed, squeeze

Fixed in version 6.0.4

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, pkg-perl-maintainers@lists.alioth.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#644147; Package release.debian.org. (Mon, 03 Oct 2011 10:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@debian.org>:
New Bug report received and forwarded. Copy sent to pkg-perl-maintainers@lists.alioth.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Mon, 03 Oct 2011 10:33:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package libdigest-perl/1.16-1+squeeze1
Date: Mon, 03 Oct 2011 12:29:56 +0200
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

the last upstream release of libdigest-perl (1.17) contains a fix for an
unsafe use of eval[1]: the argument to Digest->new($algo) was not
checked properly allowing code injection (in case the value can be
changed by the attacker).  Versions in both lenny and squeeze are
affected.

The security team does not plan to release a DSA, the issue should be
fixed via proposed-updates instead.

I prepared updates for both lenny and squeeze (attached).

Regards,
Ansgar

[1] <https://github.com/gisle/digest/commit/33800e83550bcad19c4fc593874ec3497841fa1e>
[libdigest-perl_lenny.diff (text/x-diff, attachment)]
[libdigest-perl_squeeze.diff (text/x-diff, attachment)]

Bug 644147 cloned as bug 644149. Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Mon, 03 Oct 2011 10:36:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#644147; Package release.debian.org. (Tue, 04 Oct 2011 20:36:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 04 Oct 2011 20:36:08 GMT) Full text and rfc822 format available.

Message #12 received at 644147@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Ansgar Burchardt <ansgar@debian.org>, 644147@bugs.debian.org
Cc: 644149@bugs.debian.org
Subject: Re: Bug#644147: pu: package libdigest-perl/1.16-1+squeeze1
Date: Tue, 04 Oct 2011 21:33:38 +0100
tag 644149 + lenny confirmed
tag 644147 + squeeze confirmed
thanks

On Mon, 2011-10-03 at 12:29 +0200, Ansgar Burchardt wrote:
> the last upstream release of libdigest-perl (1.17) contains a fix for an
> unsafe use of eval[1]: the argument to Digest->new($algo) was not
> checked properly allowing code injection (in case the value can be
> changed by the attacker).  Versions in both lenny and squeeze are
> affected.

Please go ahead with both uploads; thanks.

Regards,

Adam





Added tag(s) squeeze and confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Tue, 04 Oct 2011 20:36:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#644147; Package release.debian.org. (Tue, 11 Oct 2011 19:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 11 Oct 2011 19:48:03 GMT) Full text and rfc822 format available.

Message #19 received at 644147@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: 644147@bugs.debian.org
Cc: Ansgar Burchardt <ansgar@debian.org>, 644149@bugs.debian.org
Subject: Re: Bug#644147: pu: package libdigest-perl/1.16-1+squeeze1
Date: Tue, 11 Oct 2011 20:44:12 +0100
tag 644149 + pending
tag 644147 + pending
thanks

On Tue, 2011-10-04 at 21:33 +0100, Adam D. Barratt wrote:
> On Mon, 2011-10-03 at 12:29 +0200, Ansgar Burchardt wrote:
> > the last upstream release of libdigest-perl (1.17) contains a fix for an
> > unsafe use of eval[1]: the argument to Digest->new($algo) was not
> > checked properly allowing code injection (in case the value can be
> > changed by the attacker).  Versions in both lenny and squeeze are
> > affected.
> 
> Please go ahead with both uploads; thanks.

For the record, both uploads have now been accepted; thanks.

Regards,

Adam





Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Tue, 11 Oct 2011 19:48:07 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 6.0.4, send any further explanations to Ansgar Burchardt <ansgar@debian.org> Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 28 Jan 2012 14:06:25 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Feb 2012 07:35:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 19:50:54 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.