Your message dated Wed, 25 May 2011 19:53:20 +0000
with message-id <e1qpk8u-0006ba...@franck.debian.org>
and subject line Bug#626135: fixed in libmojolicious-perl 0.999926-1+squeeze2
has caused the Debian Bug report #626135,
regarding libmojolicious-perl: XSS vulnerability in the link_to helper
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
626135: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626135
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libmojolicious-perl
Version: 0.999926-1+squeeze1
Severity: grave
Tags: squeeze security
Justification: user security hole
Hi
libmojolicious-perl prior to 1.12 seems vulnerable to a cross-site
scripting vulnerability.
The CVE for this issue is CVE-2011-1841 [1].
[1] http://security-tracker.debian.org/tracker/CVE-2011-1841
Debian wheezy and unstable already have 1.21-1. Debian squeeze has
0.999926-1+squeeze1, which according to [2] is vulnerable.
[2] http://www.securityfocus.com/bid/47713/info
Changelog for 1.12 contains:
- Fixed XSS issue in link_to helper.
This seems to be fixed in upstream git commit
f6801ef7be8c78092e38f870b19fae3da0899d60 (but needs a check if we can
apply it to version in squeeze).
Bests
Salvatore
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: libmojolicious-perl
Source-Version: 0.999926-1+squeeze2
We believe that the bug you reported is fixed in the latest version of
libmojolicious-perl, which is due to be installed in the Debian FTP archive:
libmojolicious-perl_0.999926-1+squeeze2.debian.tar.gz
to
main/libm/libmojolicious-perl/libmojolicious-perl_0.999926-1+squeeze2.debian.tar.gz
libmojolicious-perl_0.999926-1+squeeze2.dsc
to main/libm/libmojolicious-perl/libmojolicious-perl_0.999926-1+squeeze2.dsc
libmojolicious-perl_0.999926-1+squeeze2_all.deb
to
main/libm/libmojolicious-perl/libmojolicious-perl_0.999926-1+squeeze2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 626...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated
libmojolicious-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 23 May 2011 10:49:18 +0200
Source: libmojolicious-perl
Binary: libmojolicious-perl
Architecture: source all
Version: 0.999926-1+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
libmojolicious-perl - Model-View-Controller Web Application Framework
Closes: 626135
Changes:
libmojolicious-perl (0.999926-1+squeeze2) stable-security; urgency=high
.
* [SECURITY] Fix XSS vulnerability in link_to helper. Fixes
CVE-2011-1841 (Closes: #626135).
* [SECURITY] Add fix-CVE-2010-4803.patch. Fix not properly implemented
HMAC-MD5 checksums. Fixes CVE-2010-4803.
* [SECURITY] Add fix-CVE-2010-4802.patch. Fix broken CGI environment
detection. Fixes CVE-2010-4802.
Checksums-Sha1:
e4462eada6899299df9144586959dcdc804ad002 2108
libmojolicious-perl_0.999926-1+squeeze2.dsc
a58a1903fd4398d1fabbdc7ea3a21be889ceca43 10155
libmojolicious-perl_0.999926-1+squeeze2.debian.tar.gz
b4b8b65dbf1e81117492065b24ffafeaadddee24 446520
libmojolicious-perl_0.999926-1+squeeze2_all.deb
Checksums-Sha256:
9ca4d04b4287fe03ef320146a4a095d4a63dd7ad8823acadf4b02a1913f54732 2108
libmojolicious-perl_0.999926-1+squeeze2.dsc
073c52ce52565f604c6b3214e1ecc8397cc2acf546f5e1ecb4e4791da3895f0b 10155
libmojolicious-perl_0.999926-1+squeeze2.debian.tar.gz
e61ef0ae25086b8d260482a3ff1b7c0897f916d040fc47a2ec2dea027e21223b 446520
libmojolicious-perl_0.999926-1+squeeze2_all.deb
Files:
2e84e232d734494b4078e172ab98f015 2108 perl optional
libmojolicious-perl_0.999926-1+squeeze2.dsc
d85deb7a4c0eedff5857808003619f03 10155 perl optional
libmojolicious-perl_0.999926-1+squeeze2.debian.tar.gz
2907ee0fb0ccb04bd190276daa373b86 446520 perl optional
libmojolicious-perl_0.999926-1+squeeze2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJN2iMsAAoJEHidbwV/2GP++RUP/iodQ49+3YT2TeP0ScJjVfyK
xN1Bi3OniO2kedulHtTfDuAYtQ7HVXaqNisNRItREiFG7ZUowplGLw/6oWdmpgGN
WHL0emZLfC5c0r7P4Du1cfqncYJvuge6GradUPCW0eqzwV1AYmZpodURtxVMO0Ih
X+54SG350mzDUkY21ucQHY5kspNA0LDNCzslsGUl0ely7ueYLzSIyc8syobK37A/
VnBtLi2HAUopF+1Cr7vCLs7sPztILOgasvy0sNqxj/alB/TBgN6x79GSj8VHz8JV
xDmqsTrIhGUcVSL4H93uqilTPZvnTqmLhAGNAVBqsyWeTy1e+v6Aa5oLOygqm16H
Jdj92y8WuSphjyCNerGAvv820ovpjc90bqJdfhLtBA5z7+4BgXdEZ3C2J4ngHoFY
UagZCrf3sxOzPtjCj1wudQGK16icgrBIkNVtKV3y8ccxCymgxoxkTGstRkiy6SZN
X2H9AnO8PVyANmuqpz8GXmlMltmB1mJs35RwFs1E6ZpbDMfSDJ9CzI2DFl/SvaXK
/mrCLaBOT3ezb0yhu343nOHpfRDKiDpsY+FPL0W831+EJUDmigDUuSVO4Zf2PHfP
Ctxk4Cw65dWdO4I6lmcKJp+/8qUgoVyZzpO+KCnWR9aX/z4YZgr5fRLK8Rtaz07M
RKVtjOezS3VdUjf+iPLY
=Q8e4
-----END PGP SIGNATURE-----
--- End Message ---
