December 2010 - perl-devel - Fedora Mailing-Lists

[Bug 652158] Use of :locked is deprecated

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=652158 --- Comment #13 from Fedora Update System <updates(a)fedoraproject.org> 2010-12-01 16:54:48 EST --- mrtg-2.16.4-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

13 years, 5 months

1
0
0 / 0

[Bug 540356] & and & are treated as & during rendering

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=540356 Bug 540356 depends on bug 657965, which changed state. Bug 657965 Summary: RFE: Please update HTML::Tree to version 4.1 https://bugzilla.redhat.com/show_bug.cgi?id=657965 What |Old Value |New Value ---------------------------------------------------------------------------- Resolution| |RAWHIDE Status|NEW |CLOSED -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

13 years, 5 months

1
0
0 / 0

[Bug 657965] New: RFE: Please update HTML::Tree to version 4.1

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. Summary: RFE: Please update HTML::Tree to version 4.1 https://bugzilla.redhat.com/show_bug.cgi?id=657965 Summary: RFE: Please update HTML::Tree to version 4.1 Product: Fedora Version: rawhide Platform: Unspecified OS/Version: Unspecified Status: NEW Severity: medium Priority: low Component: perl-HTML-Tree AssignedTo: tcallawa(a)redhat.com ReportedBy: jfearn(a)redhat.com QAContact: extras-qa(a)fedoraproject.org CC: tcallawa(a)redhat.com, fedora-perl-devel-list(a)redhat.com Blocks: 540356 Classification: Fedora Target Release: --- Hi, there is a new version of HTML::Tree upstream, please update to 4.1. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

13 years, 5 months

1
1
0 / 0

[perl-HTML-Tree] update to 4.1

by Tom Callaway

commit 63c6f60390315d56c086d7548ae3ae839cb53fcc Author: Tom "spot" Callaway <tcallawa(a)redhat.com> Date: Wed Dec 1 16:34:56 2010 -0500 update to 4.1 .gitignore | 1 + perl-HTML-Tree.spec | 11 ++++++----- sources | 2 +- 3 files changed, 8 insertions(+), 6 deletions(-) --- diff --git a/.gitignore b/.gitignore index 59580e1..3308a59 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ HTML-Tree-3.23.tar.gz /HTML-Tree-4.0.tar.gz +/HTML-Tree-4.1.tar.gz diff --git a/perl-HTML-Tree.spec b/perl-HTML-Tree.spec index fae3461..0a89277 100644 --- a/perl-HTML-Tree.spec +++ b/perl-HTML-Tree.spec @@ -1,14 +1,12 @@ -%define version_real 4.0 - Name: perl-HTML-Tree -Version: 4.00 +Version: 4.1 Release: 1%{?dist} Epoch: 1 Summary: HTML tree handling modules for Perl Group: Development/Libraries License: GPL+ or Artistic URL: http://search.cpan.org/dist/HTML-Tree/ -Source0: http://www.cpan.org/authors/id/J/JF/JFEARN/HTML-Tree-%{version_real}.tar.gz +Source0: http://www.cpan.org/authors/id/J/JF/JFEARN/HTML-Tree-%{version}.tar.gz BuildArch: noarch BuildRequires: perl(HTML::Parser) >= 3.46 BuildRequires: perl(HTML::Tagset) >= 3.02 @@ -32,7 +30,7 @@ libwww-perl distribution, but are now unbundled in order to facilitate a separate development track. %prep -%setup -q -n HTML-Tree-%{version_real} +%setup -q -n HTML-Tree-%{version} %build %{__perl} Build.PL installdirs=vendor @@ -58,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/HTML::*3* %changelog +* Wed Dec 1 2010 Tom "spot" Callaway <tcallawa(a)redhat.com> - 1:4.1-1 +- update to 4.1 + * Mon Oct 18 2010 Marcela Mašláňová <mmaslano(a)redhat.com> - 1:3.40-1 - update, adjust specfile to use Build.PL diff --git a/sources b/sources index 40b8a2a..d7ffc3c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7ba44995905a117c00f6744350799883 HTML-Tree-4.0.tar.gz +c339cc18ec68e9c677480d2e714b20d1 HTML-Tree-4.1.tar.gz

13 years, 5 months

1
0
0 / 0

File HTML-Tree-4.1.tar.gz uploaded to lookaside cache by spot

by Tom Callaway

A file has been added to the lookaside cache for perl-HTML-Tree: c339cc18ec68e9c677480d2e714b20d1 HTML-Tree-4.1.tar.gz

13 years, 5 months

1
0
0 / 0

[Bug 658970] perl-CGI-Simple: CRLF injection vulnerability via a crafted URL

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=658970 --- Comment #5 from Jan Lieskovsky <jlieskov(a)redhat.com> 2010-12-01 14:34:48 EST --- Sure, will keep an eye on the issue and post the final patch here once known. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

13 years, 5 months

1
0
0 / 0

[Bug 658970] perl-CGI-Simple: CRLF injection vulnerability via a crafted URL

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=658970 --- Comment #4 from Tom "spot" Callaway <tcallawa(a)redhat.com> 2010-12-01 14:25:47 EST --- Jan, seems to make sense to wait. I'll leave that update in testing and obsolete it with the next update. When the final patches are ready, can you post them here? -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

13 years, 5 months

1
0
0 / 0

[Bug 658970] perl-CGI-Simple: CRLF injection vulnerability via a crafted URL

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=658970 --- Comment #3 from Jan Lieskovsky <jlieskov(a)redhat.com> 2010-12-01 14:20:45 EST --- CVE Request: [1] http://www.openwall.com/lists/oss-security/2010/12/01/1 And reply from Mark Stosberg regarding patch completion: ========================================================= > Since perl-CGi is different code base than Bugzilla, we suspect a > > new CVE id is required > > for this issue? Steve, could you please allocate one? (id #1) CGI.pm is used by the Bugzilla code base. However, Bugzilla may not always be vulnerable to issues in CGI.pm depending on they use it. > > 2. Further improvements to handling of newlines embedded in header > > values. > > An exception is thrown if header values contain invalid newlines. > > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux > > Lincoln Stein, Frederic Buclin and Mark Stosberg > > > > Chris, Mark, could you please provide more details about the > > issue? Is it > > related to CVE-2010-3172? Yes, it is. However, later testing found that the issue wasn't completely fixed in 3.50. A new patch has been developed, and is currently pending review and acceptance by the primary CGI.pm author, Lincoln Stein. (Now CC'ed). > > Steve, could you please allocate CVE id for this? (id #2) > > > > Yet, back to CVE-2010-3172, Masahiro mentions in [2], that > > perl-CGI-Simple is prone > > to same deficiency, as CVE-2010-3172 in Bugzilla was: > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13 > > > > Looks, like it was already fixed in perl-CGI-Simple too: > > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31 > > > > Relevant perl-CGi-Simple patch: > > [6] > > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb72... Note that CGI::Simple also shares the header newline injection issue with CGI.pm, but remains unpatched. I submitted a patch, but it has not been applied, as seen in the Network view: https://github.com/markstos/CGI--Simple/network However, even the patch I submitted is not fully complete, as it mirrors the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm has a final update to address the remaining header injection issue, I'll share the same patch with CGI::Simple. Mark =========================================================== Yet, reply from Reed Loden of Mozilla Security Group: [3] http://www.openwall.com/lists/oss-security/2010/12/01/2 ============================================================ Tom, regarding the already scheduled Fedora updates -- not sure, how to proceed now regarding the incomplete patch / change mention above? Would we rather wait a bit and fix the issue completely later or fix it 'two times'? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team Note: The facts above arised only very recently. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

13 years, 5 months

1
0
0 / 0

[Bug 658976] perl-CGI: CRLF injection vulnerability via a crafted URL

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=658976 --- Comment #2 from Jan Lieskovsky <jlieskov(a)redhat.com> 2010-12-01 14:16:58 EST --- CVE Request: [1] http://www.openwall.com/lists/oss-security/2010/12/01/1 And reply from Mark Stosberg regarding patch completion: ========================================================= > Since perl-CGi is different code base than Bugzilla, we suspect a > > new CVE id is required > > for this issue? Steve, could you please allocate one? (id #1) CGI.pm is used by the Bugzilla code base. However, Bugzilla may not always be vulnerable to issues in CGI.pm depending on they use it. > > 2. Further improvements to handling of newlines embedded in header > > values. > > An exception is thrown if header values contain invalid newlines. > > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux > > Lincoln Stein, Frederic Buclin and Mark Stosberg > > > > Chris, Mark, could you please provide more details about the > > issue? Is it > > related to CVE-2010-3172? Yes, it is. However, later testing found that the issue wasn't completely fixed in 3.50. A new patch has been developed, and is currently pending review and acceptance by the primary CGI.pm author, Lincoln Stein. (Now CC'ed). > > Steve, could you please allocate CVE id for this? (id #2) > > > > Yet, back to CVE-2010-3172, Masahiro mentions in [2], that > > perl-CGI-Simple is prone > > to same deficiency, as CVE-2010-3172 in Bugzilla was: > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13 > > > > Looks, like it was already fixed in perl-CGI-Simple too: > > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31 > > > > Relevant perl-CGi-Simple patch: > > [6] > > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb72... Note that CGI::Simple also shares the header newline injection issue with CGI.pm, but remains unpatched. I submitted a patch, but it has not been applied, as seen in the Network view: https://github.com/markstos/CGI--Simple/network However, even the patch I submitted is not fully complete, as it mirrors the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm has a final update to address the remaining header injection issue, I'll share the same patch with CGI::Simple. Mark =========================================================== Yet, reply from Reed Loden of Mozilla Security Group: [3] http://www.openwall.com/lists/oss-security/2010/12/01/2 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

13 years, 5 months

1
0
0 / 0

[Bug 658976] perl-CGI: CRLF injection vulnerability via a crafted URL

by Red Hat Bugzilla

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=658976 --- Comment #1 from Jan Lieskovsky <jlieskov(a)redhat.com> 2010-12-01 14:09:45 EST --- This issue affects the versions of the perl package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- The perl-CGI packages, present in Fedora release of 13 and 14 has been already scheduled for update (though they may be present in the -testing repository yet). -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

13 years, 5 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

perl-devel December 2010