[Bug 657965] New: RFE: Please update HTML::Tree to version 4.1
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
Summary: RFE: Please update HTML::Tree to version 4.1
https://bugzilla.redhat.com/show_bug.cgi?id=657965
Summary: RFE: Please update HTML::Tree to version 4.1
Product: Fedora
Version: rawhide
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: medium
Priority: low
Component: perl-HTML-Tree
AssignedTo: tcallawa(a)redhat.com
ReportedBy: jfearn(a)redhat.com
QAContact: extras-qa(a)fedoraproject.org
CC: tcallawa(a)redhat.com, fedora-perl-devel-list(a)redhat.com
Blocks: 540356
Classification: Fedora
Target Release: ---
Hi, there is a new version of HTML::Tree upstream, please update to 4.1.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
13 years, 5 months
[perl-HTML-Tree] update to 4.1
by Tom Callaway
commit 63c6f60390315d56c086d7548ae3ae839cb53fcc
Author: Tom "spot" Callaway <tcallawa(a)redhat.com>
Date: Wed Dec 1 16:34:56 2010 -0500
update to 4.1
.gitignore | 1 +
perl-HTML-Tree.spec | 11 ++++++-----
sources | 2 +-
3 files changed, 8 insertions(+), 6 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 59580e1..3308a59 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
HTML-Tree-3.23.tar.gz
/HTML-Tree-4.0.tar.gz
+/HTML-Tree-4.1.tar.gz
diff --git a/perl-HTML-Tree.spec b/perl-HTML-Tree.spec
index fae3461..0a89277 100644
--- a/perl-HTML-Tree.spec
+++ b/perl-HTML-Tree.spec
@@ -1,14 +1,12 @@
-%define version_real 4.0
-
Name: perl-HTML-Tree
-Version: 4.00
+Version: 4.1
Release: 1%{?dist}
Epoch: 1
Summary: HTML tree handling modules for Perl
Group: Development/Libraries
License: GPL+ or Artistic
URL: http://search.cpan.org/dist/HTML-Tree/
-Source0: http://www.cpan.org/authors/id/J/JF/JFEARN/HTML-Tree-%{version_real}.tar.gz
+Source0: http://www.cpan.org/authors/id/J/JF/JFEARN/HTML-Tree-%{version}.tar.gz
BuildArch: noarch
BuildRequires: perl(HTML::Parser) >= 3.46
BuildRequires: perl(HTML::Tagset) >= 3.02
@@ -32,7 +30,7 @@ libwww-perl distribution, but are now unbundled in order to facilitate
a separate development track.
%prep
-%setup -q -n HTML-Tree-%{version_real}
+%setup -q -n HTML-Tree-%{version}
%build
%{__perl} Build.PL installdirs=vendor
@@ -58,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/HTML::*3*
%changelog
+* Wed Dec 1 2010 Tom "spot" Callaway <tcallawa(a)redhat.com> - 1:4.1-1
+- update to 4.1
+
* Mon Oct 18 2010 Marcela Mašláňová <mmaslano(a)redhat.com> - 1:3.40-1
- update, adjust specfile to use Build.PL
diff --git a/sources b/sources
index 40b8a2a..d7ffc3c 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-7ba44995905a117c00f6744350799883 HTML-Tree-4.0.tar.gz
+c339cc18ec68e9c677480d2e714b20d1 HTML-Tree-4.1.tar.gz
13 years, 5 months
[Bug 658970] perl-CGI-Simple: CRLF injection vulnerability via a crafted URL
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=658970
--- Comment #3 from Jan Lieskovsky <jlieskov(a)redhat.com> 2010-12-01 14:20:45 EST ---
CVE Request:
[1] http://www.openwall.com/lists/oss-security/2010/12/01/1
And reply from Mark Stosberg regarding patch completion:
=========================================================
> Since perl-CGi is different code base than Bugzilla, we suspect a
> > new CVE id is required
> > for this issue? Steve, could you please allocate one? (id #1)
CGI.pm is used by the Bugzilla code base. However, Bugzilla may not
always be vulnerable to issues in CGI.pm depending on they use it.
> > 2. Further improvements to handling of newlines embedded in header
> > values.
> > An exception is thrown if header values contain invalid newlines.
> > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
> > Lincoln Stein, Frederic Buclin and Mark Stosberg
> >
> > Chris, Mark, could you please provide more details about the
> > issue? Is it
> > related to CVE-2010-3172?
Yes, it is. However, later testing found that the issue wasn't
completely fixed in 3.50. A new patch has been developed, and is
currently pending review and acceptance by the primary CGI.pm author,
Lincoln Stein. (Now CC'ed).
> > Steve, could you please allocate CVE id for this? (id #2)
> >
> > Yet, back to CVE-2010-3172, Masahiro mentions in [2], that
> > perl-CGI-Simple is prone
> > to same deficiency, as CVE-2010-3172 in Bugzilla was:
> > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13
> >
> > Looks, like it was already fixed in perl-CGI-Simple too:
> > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31
> >
> > Relevant perl-CGi-Simple patch:
> > [6]
> > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb72...
Note that CGI::Simple also shares the header newline injection issue
with CGI.pm, but remains unpatched. I submitted a patch, but it has not
been applied, as seen in the Network view:
https://github.com/markstos/CGI--Simple/network
However, even the patch I submitted is not fully complete, as it mirrors
the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm
has a final update to address the remaining header injection issue, I'll
share the same patch with CGI::Simple.
Mark
===========================================================
Yet, reply from Reed Loden of Mozilla Security Group:
[3] http://www.openwall.com/lists/oss-security/2010/12/01/2
============================================================
Tom, regarding the already scheduled Fedora updates -- not
sure, how to proceed now regarding the incomplete patch / change
mention above? Would we rather wait a bit and fix the issue
completely later or fix it 'two times'?
Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Note: The facts above arised only very recently.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
13 years, 5 months
[Bug 658976] perl-CGI: CRLF injection vulnerability via a crafted URL
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=658976
--- Comment #2 from Jan Lieskovsky <jlieskov(a)redhat.com> 2010-12-01 14:16:58 EST ---
CVE Request:
[1] http://www.openwall.com/lists/oss-security/2010/12/01/1
And reply from Mark Stosberg regarding patch completion:
=========================================================
> Since perl-CGi is different code base than Bugzilla, we suspect a
> > new CVE id is required
> > for this issue? Steve, could you please allocate one? (id #1)
CGI.pm is used by the Bugzilla code base. However, Bugzilla may not
always be vulnerable to issues in CGI.pm depending on they use it.
> > 2. Further improvements to handling of newlines embedded in header
> > values.
> > An exception is thrown if header values contain invalid newlines.
> > Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux
> > Lincoln Stein, Frederic Buclin and Mark Stosberg
> >
> > Chris, Mark, could you please provide more details about the
> > issue? Is it
> > related to CVE-2010-3172?
Yes, it is. However, later testing found that the issue wasn't
completely fixed in 3.50. A new patch has been developed, and is
currently pending review and acceptance by the primary CGI.pm author,
Lincoln Stein. (Now CC'ed).
> > Steve, could you please allocate CVE id for this? (id #2)
> >
> > Yet, back to CVE-2010-3172, Masahiro mentions in [2], that
> > perl-CGI-Simple is prone
> > to same deficiency, as CVE-2010-3172 in Bugzilla was:
> > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c13
> >
> > Looks, like it was already fixed in perl-CGI-Simple too:
> > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=600464#c31
> >
> > Relevant perl-CGi-Simple patch:
> > [6]
> > https://github.com/AndyA/CGI--Simple/commit/e4942b871a26c1317a175a91ebb72...
Note that CGI::Simple also shares the header newline injection issue
with CGI.pm, but remains unpatched. I submitted a patch, but it has not
been applied, as seen in the Network view:
https://github.com/markstos/CGI--Simple/network
However, even the patch I submitted is not fully complete, as it mirrors
the 3.50 state of CGI.pm, and thus also needs further work. Once CGI.pm
has a final update to address the remaining header injection issue, I'll
share the same patch with CGI::Simple.
Mark
===========================================================
Yet, reply from Reed Loden of Mozilla Security Group:
[3] http://www.openwall.com/lists/oss-security/2010/12/01/2
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
13 years, 5 months