[libmodule-signature-perl] 04/04: Prepare changelog for release to jessie-security

Salvatore Bonaccorso carnil at debian.org
Thu May 14 13:29:51 UTC 2015 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to annotated tag debian/0.73-1+deb8u1
in repository libmodule-signature-perl.

commit 5b1d09a33dc621a90927a7df4b1a69f3b0b05778
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu May 14 12:59:14 2015 +0200

    Prepare changelog for release to jessie-security
    
    Git-Dch: Ignore
---
 debian/changelog | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a3b0ed9..bb7cb7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+libmodule-signature-perl (0.73-1+deb8u1) jessie-security; urgency=high
+
+  * Team upload.
+  * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch.
+    CVE-2015-3406: Module::Signature parses the unsigned portion of the
+    SIGNATURE file as the signed portion due to incorrect handling of PGP
+    signature boundaries.
+    CVE-2015-3407: Module::Signature incorrectly handles files that are not
+    listed in the SIGNATURE file. This includes some files in the t/
+    directory that would execute when tests are run.
+    CVE-2015-3408: Module::Signature uses two argument open() calls to read
+    the files when generating checksums from the signed manifest, allowing
+    to embed arbitrary shell commands into the SIGNATURE file that would
+    execute during the signature verification process. (Closes: #783451)
+  * Add CVE-2015-3409.patch patch.
+    CVE-2015-3409: Module::Signature incorrectly handles module loading
+    allowing to load modules from relative paths in @INC. A remote attacker
+    providing a malicious module could use this issue to execute arbitrary
+    code during signature verification. (Closes: #783451)
+  * Add Fix-signature-tests.patch patch.
+    Fix signature tests by defaulting to verify(skip=>1) when
+    $ENV{TEST_SIGNATURE} is true.
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Thu, 14 May 2015 12:58:30 +0200
+
 libmodule-signature-perl (0.73-1) unstable; urgency=low
 
   * Team upload.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-signature-perl.git

More information about the Pkg-perl-cvs-commits mailing list