[Rt-commit] rt branch, 3.8-trunk, updated. rt-3.8.10-41-g7349f99

Alex Vandiver alexmv at bestpractical.com
Wed Oct 5 13:24:43 EDT 2011


The branch, 3.8-trunk has been updated
       via  7349f99d1bd1035421ccb1b843ad3f958b8168f3 (commit)
       via  8064158c0ce71f52b59d667a30baebd3873604e3 (commit)
      from  f5beed2515bab7eb46c4bbc7015ffb552ba269f4 (commit)

Summary of changes:
 sbin/rt-test-dependencies.in |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

- Log -----------------------------------------------------------------
commit 8064158c0ce71f52b59d667a30baebd3873604e3
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Fri Sep 30 12:11:18 2011 -0400

    Bump the FCGI dependency, which closes FCGI's CVE-2011-2766
    
    CGI::Fast, which RT 3.8 uses for its FastCGI interface, uses a
    deprecated interface of the FCGI module.  The FCGI module, in release
    0.70 (22 March 2010), introduced a bug in this interface, wherein under
    mod_fastcgi (but not mod_fcgid) the environment of the very first
    request to the FastCGI child was copied into all subsequent requests.
    Among other things, this means that the cookies of the first request
    were seen by all subsequent requests that did not themselves specify a
    cookie.
    
    FCGI version 0.74 closes this bug; bump RT's dependency accordingly.

diff --git a/sbin/rt-test-dependencies.in b/sbin/rt-test-dependencies.in
index 1ce118f..a964e29 100755
--- a/sbin/rt-test-dependencies.in
+++ b/sbin/rt-test-dependencies.in
@@ -303,7 +303,7 @@ Log::Dispatch::Perl
 
 $deps{'FASTCGI'} = [ text_to_hash( << '.') ];
 CGI 3.38
-FCGI
+FCGI 0.74
 CGI::Fast 
 .
 

commit 7349f99d1bd1035421ccb1b843ad3f958b8168f3
Merge: f5beed2 8064158
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Wed Oct 5 13:24:31 2011 -0400

    Merge branch 'security/3.8/fcgi-env-vulnerability' into 3.8-trunk


-----------------------------------------------------------------------


More information about the Rt-commit mailing list