| Summary: | perl-CGI-Emulate-PSGI new "httpoxy" security issue (CVE-2016-5387) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, guillomovitch, herman.viaene, lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/694861/ | ||
| Whiteboard: | MGA5-32-OK advisory MGA5-64-OK | ||
| Source RPM: | perl-CGI-Emulate-PSGI-0.210.0-3.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-08-09 20:41:27 CEST
David Walser
2016-08-09 20:41:55 CEST
Whiteboard:
(none) =>
MGA5TOO Fixed in Cauldron by Guillaume (thanks!). CC:
(none) =>
guillomovitch I have uploaded a patched package for Mageia 5. I don't know how to test this, but I have confirmad that the patch is applied. Suggested advisory: ======================== This update removes the setting of the HTTP_PROXY environment value. This works around the httproxy vulnerability (aka CVE-2016-5387) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/ ======================== Updated packages in core/updates_testing: ======================== perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5 Source RPM: perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5.src.rpm Assignee:
mageia =>
qa-bugs MGA-32 on Asus A6000VM Xfce No installation issues. # urpmq --whatrequires perl-CGI-Emulate-PSGI perl-CGI-Emulate-PSGI perl-CGI-Emulate-PSGI perl-Plack perl-Plack rt Installed rt, but seems a complex thing to test. At CLI: # strace -o rttest.txt rt-setup-database --action init rttest In order to create or update your RT database, this script needs to connect to your mysql instance on localhost as root Please specify that user's database password below. If the user has no database password, just press return. Password: Working with: Type: mysql Host: localhost Name: rt4 User: rt_user DBA: root Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 270, <STDIN> line 1. Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 273, <STDIN> line 1. Now creating a mysql database rt4 for RT. Done. Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 270, <STDIN> line 1. Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 273, <STDIN> line 1. Now populating database schema. Done. and then more Now inserting database ACLs. Granting access to rt_user@'localhost' on rt4. Done.Now inserting RT core system objects. Done. Now inserting data. Done inserting data. Done. with above warnings interspersed But the trace file did not show any call to one of the elements of the test package. At least nothing seems to broken by the installation. Whiteboard:
(none) =>
MGA5-32-OK Other test possibilities?
$ urpmq --whatrequires-recursive perl-CGI-Emulate-PSGI | sort | uniq
mga-mirrors
perl-Catalyst-Action-RenderView
... then a long list of perl-... modules to
perl-Twiggy
rt
mga-mirrors - Mageia Mirrors management
/usr/bin/check_mirror
/usr/bin/mga_mirrors_cgi.pl
/usr/bin/mga_mirrors_create.pl
/usr/bin/mga_mirrors_fastcgi.pl
/usr/bin/mga_mirrors_server.pl
/usr/bin/mga_mirrors_test.pl
I shall investigate this, in hope. Installing mga-mirrors pulled in 77 pkgs, including the one in question.CC:
(none) =>
lewyssmith As for much perl libraries, there isn't any valid test procedure beside running dedicated unit tests during the build process (make test). Curiously, they are disabled in the spec file, I don't know why, but they work for me. Just installing a web application that may eventually use it for some unknown purpose (remember: this is an automatic dependency computed by a code parser) doesn't have any added value here. All in all, just forget testing, you're losing your time.
Dave Hodgins
2017-05-19 19:38:46 CEST
Whiteboard:
MGA5-32-OK =>
MGA5-32-OK advisory (In reply to Guillaume Rousse from comment #5) > As for much perl libraries, there isn't any valid test procedure beside > running dedicated unit tests during the build process (make test). > Curiously, they are disabled in the spec file, I don't know why, but they > work for me. > > All in all, just forget testing, you're losing your time. Gillaume: thank you for this helpful & frank advice! M5x64 I had indeed wasted hours messing with the binaries noted in Comment 4, $ mga_mirrors_server.pl -help being the only one worth looking at. Another one invites the installation of something from CPAN; DO NOT DO THAT - the consequences are dire. perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5 So I just went for a clean update, which it was; That will have to do. Validating; advisory already registered. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0146.html Status:
NEW =>
RESOLVED |