Debian Bug report logs - #644149
opu: package libdigest-perl/1.15-2+lenny1

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Ansgar Burchardt <ansgar@debian.org>

Date: Mon, 3 Oct 2011 10:33:01 UTC

Severity: normal

Tags: confirmed, lenny

Fixed in version 5.0.10

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, pkg-perl-maintainers@lists.alioth.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#644147; Package release.debian.org. (Mon, 03 Oct 2011 10:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@debian.org>:
New Bug report received and forwarded. Copy sent to pkg-perl-maintainers@lists.alioth.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Mon, 03 Oct 2011 10:33:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package libdigest-perl/1.16-1+squeeze1
Date: Mon, 03 Oct 2011 12:29:56 +0200
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

the last upstream release of libdigest-perl (1.17) contains a fix for an
unsafe use of eval[1]: the argument to Digest->new($algo) was not
checked properly allowing code injection (in case the value can be
changed by the attacker).  Versions in both lenny and squeeze are
affected.

The security team does not plan to release a DSA, the issue should be
fixed via proposed-updates instead.

I prepared updates for both lenny and squeeze (attached).

Regards,
Ansgar

[1] <https://github.com/gisle/digest/commit/33800e83550bcad19c4fc593874ec3497841fa1e>
[libdigest-perl_lenny.diff (text/x-diff, attachment)]
[libdigest-perl_squeeze.diff (text/x-diff, attachment)]

Bug 644147 cloned as bug 644149. Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Mon, 03 Oct 2011 10:36:10 GMT) Full text and rfc822 format available.

Changed Bug title to 'opu: package libdigest-perl/1.15-2+lenny1' from 'pu: package libdigest-perl/1.16-1+squeeze1' Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Mon, 03 Oct 2011 10:36:17 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#644149; Package release.debian.org. (Tue, 04 Oct 2011 20:36:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 04 Oct 2011 20:36:10 GMT) Full text and rfc822 format available.

Message #14 received at 644149@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Ansgar Burchardt <ansgar@debian.org>, 644147@bugs.debian.org
Cc: 644149@bugs.debian.org
Subject: Re: Bug#644147: pu: package libdigest-perl/1.16-1+squeeze1
Date: Tue, 04 Oct 2011 21:33:38 +0100
tag 644149 + lenny confirmed
tag 644147 + squeeze confirmed
thanks

On Mon, 2011-10-03 at 12:29 +0200, Ansgar Burchardt wrote:
> the last upstream release of libdigest-perl (1.17) contains a fix for an
> unsafe use of eval[1]: the argument to Digest->new($algo) was not
> checked properly allowing code injection (in case the value can be
> changed by the attacker).  Versions in both lenny and squeeze are
> affected.

Please go ahead with both uploads; thanks.

Regards,

Adam





Added tag(s) confirmed and lenny. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Tue, 04 Oct 2011 20:36:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#644149; Package release.debian.org. (Tue, 11 Oct 2011 19:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 11 Oct 2011 19:48:05 GMT) Full text and rfc822 format available.

Message #21 received at 644149@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: 644147@bugs.debian.org
Cc: Ansgar Burchardt <ansgar@debian.org>, 644149@bugs.debian.org
Subject: Re: Bug#644147: pu: package libdigest-perl/1.16-1+squeeze1
Date: Tue, 11 Oct 2011 20:44:12 +0100
tag 644149 + pending
tag 644147 + pending
thanks

On Tue, 2011-10-04 at 21:33 +0100, Adam D. Barratt wrote:
> On Mon, 2011-10-03 at 12:29 +0200, Ansgar Burchardt wrote:
> > the last upstream release of libdigest-perl (1.17) contains a fix for an
> > unsafe use of eval[1]: the argument to Digest->new($algo) was not
> > checked properly allowing code injection (in case the value can be
> > changed by the attacker).  Versions in both lenny and squeeze are
> > affected.
> 
> Please go ahead with both uploads; thanks.

For the record, both uploads have now been accepted; thanks.

Regards,

Adam





Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Tue, 11 Oct 2011 19:48:07 GMT) Full text and rfc822 format available.

Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Sat, 10 Mar 2012 12:29:19 GMT) Full text and rfc822 format available.

Notification sent to Ansgar Burchardt <ansgar@debian.org>:
Bug acknowledged by developer. (Sat, 10 Mar 2012 12:29:22 GMT) Full text and rfc822 format available.

Message #28 received at 644149-done@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: 639645-done@bugs.debian.org
Cc: 644149-done@bugs.debian.org, 656104-done@bugs.debian.org
Subject: Closing 5.0.10 bugs
Date: Sat, 10 Mar 2012 12:23:07 +0000
Version: 5.0.10

The packages corresponding to these bugs have now been included in the
5.0.10 point release.  I'm therefore closing the bugs.

Regards,

Adam





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Apr 2012 07:35:24 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:20:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.