| Summary: | perl-Mojolicious new security issue fixed upstream in 5.49 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, jquelin, olchal, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/617642/ | ||
| Whiteboard: | MGA3TOO advisory has_procedure MGA4-64-OK MGA3-64-OK | ||
| Source RPM: | perl-Mojolicious-5.390.0-5.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-10-22 19:36:44 CEST
David Walser
2014-10-22 19:36:57 CEST
CC:
(none) =>
jquelin I have no idea what to do about this bug. The second link describes breakage in other modules. Not something I'd suggest. If this is the security issue they fixed then I'm not sure what to do next. I don't want to break working modules, especially if we can't detect which one break and how bad :/ WDYT? From the upstream discussion, it sounds like a serious issue. Fedora felt comfortable updating it. At the very least, Cauldron should be updated. If you want to give it some time to see how that goes before updating Mageia 4, we can do that. It just means we can't update Mageia 3. I can't imagine it'd have a huge impact though, especially as it's only required by perl-MojoX-Redis and perl-Test-WWW-Mechanize-Mojo and nothing requires those. Anyone using this module should be adapting to the upstream changes anyway to make sure they don't get unknowingly hit by this issue. So, cauldron got updated to the latest version and I have uploaded 5.49 for Mageia 3 and 4. For testing I found that they have "Getting Started" section on their homepage: http://mojolicio.us - as there is no POC it should be safe to just check that it still works. Suggested advisory: ======================== David, maybe you can help with that :) ======================== Updated packages in core/updates_testing: ======================== perl-Mojolicious-5.490.0-1.mga3.noarch perl-Mojolicious-5.490.0-1.mga4.noarch Source RPMs: perl-Mojolicious-5.490.0-1.mga3.src.rpm perl-Mojolicious-5.490.0-1.mga4.src.rpm Version:
Cauldron =>
4 Thanks Sander! Suggested advisory: ======================== Updated perl-Mojolicious package fixes security vulnerability: An assumption in Mojolicious before 5.48 CGI parameter handling that can result in parameter injection attacks. References: https://groups.google.com/forum/#!topic/mojolicious/aJTYjRCPjOE https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141315.html Installed perl-Mojolicious-5.490.0-1.mga4.noarch on Mageia4-64. I was able to do the test as referenced in Comment 3. No problems encountered , apart from a warning to change the secret passphrase, which I didn't bother about. CC:
(none) =>
herman.viaene Tested on Mageia3-64 Current package : perl-Mojolicious-3.940.0-1.mga3 then Update testing package : perl-Mojolicious-5.490.0-1.mga3 using procedure mentionned in comment 3. OK on mageia3-64 (same warning :[debug] Your secret passphrase needs to be changed!!! on both version) CC:
(none) =>
olchal Validating for inclusion in mga3. Advisory uploaded. Please push to updates Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0488.html Status:
NEW =>
RESOLVED |