r11634 - in /trunk/libarchive-tar-perl/debian: NEWS changelog
gregoa-guest at users.alioth.debian.org
gregoa-guest at users.alioth.debian.org
Tue Dec 25 23:26:16 UTC 2007
Author: gregoa-guest
Date: Tue Dec 25 23:26:16 2007
New Revision: 11634
URL: http://svn.debian.org/wsvn/?sc=1&rev=11634
Log:
New upstream release:
- fixes security bug "directory traversal vulnerability" - CVE-2007-4829
(closes: #449544)
- urgency set to high because of the security fix
- add NEWS.Debian that documents the changed behaviour
Added:
trunk/libarchive-tar-perl/debian/NEWS
Modified:
trunk/libarchive-tar-perl/debian/changelog
Added: trunk/libarchive-tar-perl/debian/NEWS
URL: http://svn.debian.org/wsvn/trunk/libarchive-tar-perl/debian/NEWS?rev=11634&op=file
==============================================================================
--- trunk/libarchive-tar-perl/debian/NEWS (added)
+++ trunk/libarchive-tar-perl/debian/NEWS Tue Dec 25 23:26:16 2007
@@ -1,0 +1,23 @@
+libarchive-tar-perl (1.38-1) unstable; urgency=high
+
+ libarchive-tar-perl before 1.38 had a security vulnerability regarding
+ directory traversal [0]. This bug is fixed in 1.38 resulting in a changed
+ (and backward incompatible) behaviour. From the upstream changelog:
+
+ ~~~~~
+
+ _ Address #30380: directory traversal vulnerability in Archive-Tar
+ - Add $INSECURE_EXTRACT_MODE which defaults to 0, disallowing
+ archives to extract files outside of cwd(). This is a backwards
+ incompatible change from 1.36 and before.
+ - Add a -I option to ptar to enable insecure extraction if needed
+
+ ~~~~~
+
+ [0]
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449544
+ https://rt.cpan.org/Public/Bug/Display.html?id=30380
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4829
+
+
+ -- gregor herrmann <gregor+debian at comodo.priv.at> Wed, 26 Dec 2007 00:13:50 +0100
Modified: trunk/libarchive-tar-perl/debian/changelog
URL: http://svn.debian.org/wsvn/trunk/libarchive-tar-perl/debian/changelog?rev=11634&op=diff
==============================================================================
--- trunk/libarchive-tar-perl/debian/changelog (original)
+++ trunk/libarchive-tar-perl/debian/changelog Tue Dec 25 23:26:16 2007
@@ -1,6 +1,10 @@
-libarchive-tar-perl (1.38-1) UNRELEASED; urgency=low
+libarchive-tar-perl (1.38-1) UNRELEASED; urgency=high
- * New upstream release.
+ * New upstream release:
+ - fixes security bug "directory traversal vulnerability" - CVE-2007-4829
+ (closes: #449544)
+ - urgency set to high because of the security fix
+ - add NEWS.Debian that documents the changed behaviour
* debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser
field (source stanza); Homepage field (source stanza). Removed:
Homepage pseudo-field (Description); XS-Vcs-Svn fields.
More information about the Pkg-perl-cvs-commits
mailing list