oss-security January 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] Re: CVE Request -- perl-CGI two

Re: [oss-security] Re: CVE Request -- perl-CGI two ids, perl-CGI-Simple one id (CVE-2010-3172 already assigned for Bugzilla part)

From: Mark Stosberg <mark_at_nospam>
Date: Tue Jan 04 2011 - 15:13:54 GMT
To: Jan Lieskovsky <jlieskov@redhat.com>

> Are there some patches to come yet wrt to Perl's CPAN CGI-Simple module
> and those two CVE ids yet?

Yes, this one. It is not currently applied in the master branch yet:

https://github.com/markstos/CGI--Simple/commit/e811ab874a5e0ac8a99e76b645a0e537d8f714da

> I can see latest CGi-Simple-v113 released on Monday, 27-th December 2010:
> [1] http://search.cpan.org/dist/CGI-Simple/
>
> Does it contain fixes for both CVE issues (so it is possible to rebase
> to new
> version) or anything else to be done in this part of the world yet?

It contains only a partial fix, mirroring what happened with CGI.pm.

> Is the fix, we were waiting for on the CGI-Simple side:
> [2]
> https://github.com/AndyA/CGI--Simple/commit/5a861280ef524661105e132536ff7d1a9084941f

That's not it, that's separate.

Lincoln is the primary maintainer of CGI.pm, but I have upload rights.
However, we haven't heard from recently. A week ago I asked again for
his input and notified him that I would upload a new release myself I
hadn't heard from him in another week. That time has come now-- I will
plan to upload a new release of CGI.pm in the next 24 hours.

   Mark