[Rt-commit] rt branch, 3.8-trunk, updated. rt-3.8.10-41-g7349f99
Alex Vandiver
alexmv at bestpractical.com
Wed Oct 5 13:24:43 EDT 2011
The branch, 3.8-trunk has been updated
via 7349f99d1bd1035421ccb1b843ad3f958b8168f3 (commit)
via 8064158c0ce71f52b59d667a30baebd3873604e3 (commit)
from f5beed2515bab7eb46c4bbc7015ffb552ba269f4 (commit)
Summary of changes:
sbin/rt-test-dependencies.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
- Log -----------------------------------------------------------------
commit 8064158c0ce71f52b59d667a30baebd3873604e3
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Fri Sep 30 12:11:18 2011 -0400
Bump the FCGI dependency, which closes FCGI's CVE-2011-2766
CGI::Fast, which RT 3.8 uses for its FastCGI interface, uses a
deprecated interface of the FCGI module. The FCGI module, in release
0.70 (22 March 2010), introduced a bug in this interface, wherein under
mod_fastcgi (but not mod_fcgid) the environment of the very first
request to the FastCGI child was copied into all subsequent requests.
Among other things, this means that the cookies of the first request
were seen by all subsequent requests that did not themselves specify a
cookie.
FCGI version 0.74 closes this bug; bump RT's dependency accordingly.
diff --git a/sbin/rt-test-dependencies.in b/sbin/rt-test-dependencies.in
index 1ce118f..a964e29 100755
--- a/sbin/rt-test-dependencies.in
+++ b/sbin/rt-test-dependencies.in
@@ -303,7 +303,7 @@ Log::Dispatch::Perl
$deps{'FASTCGI'} = [ text_to_hash( << '.') ];
CGI 3.38
-FCGI
+FCGI 0.74
CGI::Fast
.
commit 7349f99d1bd1035421ccb1b843ad3f958b8168f3
Merge: f5beed2 8064158
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Wed Oct 5 13:24:31 2011 -0400
Merge branch 'security/3.8/fcgi-env-vulnerability' into 3.8-trunk
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list