Date: Wed, 22 Jan 2003 09:49:53 -0800 From: "Ronald F. Guilmette" <rfg@monkeys.com> To: Fernan Aguero <fernan@iib.unsam.edu.ar> Cc: ports@FreeBSD.ORG Subject: Re: Serious Security BUG in CGI::Lite Message-ID: <97428.1043257793@monkeys.com> In-Reply-To: Your message of Wed, 22 Jan 2003 14:43:54 -0300. <20030122174354.GH35269@iib.unsam.edu.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20030122174354.GH35269@iib.unsam.edu.ar>, you wrote: >+----[ Ronald F. Guilmette <rfg@monkeys.com> (22.Jan.2003 14:30): >| >| I believe that I have found a serious security bug in the CGI::Lite >| package that's distributed as par of the FreeBSD ports collection. > >Is this a FreeBSD specific bug? In principle I wouldn't >think so, since we're talking about a perl module ... No, it is NOT in any way FreeBSD specific. >Also note that security issues due to third party software >(any software installed through the ports system) are dealt >with differently than issues with the base system (though >some ports are actually important, security-wise). OK. I can understand that. But different how? Please expand my conciousness. >Have you tried to contact the author of the module (look in >search.cpan.org) to see if s/he is already aware of it? Yes, I tried e-mailing the person whose e-mail address is listed as the creator/releasor of the v2.0 version in the README file of the package itself, and I have had no response whatsoever for over a week now. Like I say, I am _trying_ to do the Right Thing here... whatever that may be. But I don't have any good idea what the accepted protocol is in a case like this. I want to get the (bug) information out ASAP, but I don't want to screw anybody... least of all my fellow FreeBSD users. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?97428.1043257793>