r11634 - in /trunk/libarchive-tar-perl/debian: NEWS changelog

gregoa-guest at users.alioth.debian.org gregoa-guest at users.alioth.debian.org
Tue Dec 25 23:26:16 UTC 2007 

Author: gregoa-guest
Date: Tue Dec 25 23:26:16 2007
New Revision: 11634

URL: http://svn.debian.org/wsvn/?sc=1&rev=11634
Log:
New upstream release:
  - fixes security bug "directory traversal vulnerability" - CVE-2007-4829
    (closes: #449544)
  - urgency set to high because of the security fix
  - add NEWS.Debian that documents the changed behaviour

Added:
    trunk/libarchive-tar-perl/debian/NEWS
Modified:
    trunk/libarchive-tar-perl/debian/changelog

Added: trunk/libarchive-tar-perl/debian/NEWS
URL: http://svn.debian.org/wsvn/trunk/libarchive-tar-perl/debian/NEWS?rev=11634&op=file
==============================================================================
--- trunk/libarchive-tar-perl/debian/NEWS (added)
+++ trunk/libarchive-tar-perl/debian/NEWS Tue Dec 25 23:26:16 2007
@@ -1,0 +1,23 @@
+libarchive-tar-perl (1.38-1) unstable; urgency=high
+
+  libarchive-tar-perl before 1.38 had a security vulnerability regarding
+  directory traversal [0]. This bug is fixed in 1.38 resulting in a changed
+  (and backward incompatible) behaviour. From the upstream changelog:
+
+  ~~~~~
+
+  _ Address #30380: directory traversal vulnerability in Archive-Tar
+    - Add $INSECURE_EXTRACT_MODE which defaults to 0, disallowing
+      archives to extract files outside of cwd(). This is a backwards
+      incompatible change from 1.36 and before.
+    - Add a -I option to ptar to enable insecure extraction if needed
+
+  ~~~~~
+
+  [0]
+  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449544
+  https://rt.cpan.org/Public/Bug/Display.html?id=30380
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4829
+  
+
+ -- gregor herrmann <gregor+debian at comodo.priv.at>  Wed, 26 Dec 2007 00:13:50 +0100

Modified: trunk/libarchive-tar-perl/debian/changelog
URL: http://svn.debian.org/wsvn/trunk/libarchive-tar-perl/debian/changelog?rev=11634&op=diff
==============================================================================
--- trunk/libarchive-tar-perl/debian/changelog (original)
+++ trunk/libarchive-tar-perl/debian/changelog Tue Dec 25 23:26:16 2007
@@ -1,6 +1,10 @@
-libarchive-tar-perl (1.38-1) UNRELEASED; urgency=low
+libarchive-tar-perl (1.38-1) UNRELEASED; urgency=high
 
-  * New upstream release.
+  * New upstream release:
+    - fixes security bug "directory traversal vulnerability" - CVE-2007-4829
+      (closes: #449544)
+    - urgency set to high because of the security fix
+    - add NEWS.Debian that documents the changed behaviour
   * debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser
     field (source stanza); Homepage field (source stanza). Removed:
     Homepage pseudo-field (Description); XS-Vcs-Svn fields.

More information about the Pkg-perl-cvs-commits mailing list