From owner-freebsd-ports  Wed Jan 22  9:49:55 2003
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 82F4537B401
	for <ports@FreeBSD.ORG>; Wed, 22 Jan 2003 09:49:54 -0800 (PST)
Received: from segfault.monkeys.com (segfault.monkeys.com [66.60.157.246])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1ECA543F3F
	for <ports@FreeBSD.ORG>; Wed, 22 Jan 2003 09:49:54 -0800 (PST)
	(envelope-from rfg@monkeys.com)
Received: from monkeys.com (localhost [127.0.0.1])
	by segfault.monkeys.com (Postfix) with ESMTP
	id EBCE741F40; Wed, 22 Jan 2003 09:49:53 -0800 (PST)
To: Fernan Aguero <fernan@iib.unsam.edu.ar>
Cc: ports@FreeBSD.ORG
Subject: Re: Serious Security BUG in CGI::Lite 
In-reply-to: Your message of Wed, 22 Jan 2003 14:43:54 -0300.
             <20030122174354.GH35269@iib.unsam.edu.ar> 
Date: Wed, 22 Jan 2003 09:49:53 -0800
Message-ID: <97428.1043257793@monkeys.com>
From: "Ronald F. Guilmette" <rfg@monkeys.com>
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org


In message <20030122174354.GH35269@iib.unsam.edu.ar>, you wrote:

>+----[ Ronald F. Guilmette <rfg@monkeys.com> (22.Jan.2003 14:30):
>| 
>| I believe that I have found a serious security bug in the CGI::Lite
>| package that's distributed as par of the FreeBSD ports collection.
>
>Is this a FreeBSD specific bug? In principle I wouldn't
>think so, since we're talking about a perl module ...

No, it is NOT in any way FreeBSD specific.

>Also note that security issues due to third party software
>(any software installed through the ports system) are dealt
>with differently than issues with the base system (though
>some ports are actually important, security-wise).

OK.  I can understand that.

But different how?

Please expand my conciousness.

>Have you tried to contact the author of the module (look in
>search.cpan.org) to see if s/he is already aware of it?

Yes, I tried e-mailing the person whose e-mail address is listed
as the creator/releasor of the v2.0 version in the README file of
the package itself, and I have had no response whatsoever for over
a week now.

Like I say, I am _trying_ to do the Right Thing here... whatever that
may be.  But I don't have any good idea what the accepted protocol is
in a case like this.

I want to get the (bug) information out ASAP, but I don't want to
screw anybody... least of all my fellow FreeBSD users.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message