| Summary: | perl new security issues CVE-2017-12837 and CVE-2017-12883 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, marja11, shlomif, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK MGA6-32-OK | ||
| Source RPM: | perl-5.26.1-0.4.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 19051 | ||
|
Description
David Walser
2017-09-21 23:47:58 CEST
David Walser
2017-09-21 23:48:03 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Assigning to the registered maintainer. Assignee:
bugsquad =>
shlomif Fedora has issued an advisory for this today (October 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UOKIACN6UTXROW3HWROMUCE52VWGRIHH/ According to https://metacpan.org/changes/distribution/perl these two issues were fixed in 5.26.1 which is now in cauldron. Setting the keywords accordingly. Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO perl-5.22.3-3.1.mga6 submitted to 6 core/updates-testing - please test after it is built - http://pkgsubmit.mageia.org/ . Thanks Shlomi. For Mageia 5, can you do anything about the issues in Bug 19051? Built for this update: perl-5.20.1-8.7.mga5 perl-base-5.20.1-8.7.mga5 perl-devel-5.20.1-8.7.mga5 perl-doc-5.20.1-8.7.mga5 perl-5.22.3-3.1.mga6 perl-base-5.22.3-3.1.mga6 perl-devel-5.22.3-3.1.mga6 perl-doc-5.22.3-3.1.mga6 from SRPMS: perl-5.20.1-8.7.mga5.src.rpm perl-5.22.3-3.1.mga6.src.rpm Shouldn't this bug be assigned to QA? (In reply to Frédéric Buclin from comment #7) > Shouldn't this bug be assigned to QA? yes, it should be. Shlomi, it'd be great if you could help finish fixing the issues from Bug 19051. Blocks:
(none) =>
19051 Mageia 5 will be handled in Bug 19051 (still waiting on fixes for some modules). Advisory: ======================== Updated perl packages fix security vulnerabilities: Jakub Wilk reported a heap buffer overflow flaw in the regular expression compiler, allowing a remote attacker to cause a denial of service via a specially crafted regular expression with the case-insensitive modifier (CVE-2017-12837). Jakub Wilk reported a buffer over-read flaw in the regular expression parser, allowing a remote attacker to cause a denial of service or information leak (CVE-2017-12883). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12883 https://www.debian.org/security/2017/dsa-3982 ======================== Updated packages in core/updates_testing: ======================== perl-5.22.3-3.1.mga6 perl-base-5.22.3-3.1.mga6 perl-devel-5.22.3-3.1.mga6 perl-doc-5.22.3-3.1.mga6 from perl-5.22.3-3.1.mga6.src.rpm Assignee:
shlomif =>
qa-bugs Just testing that packages like drakrpm still work. Validating the update. Keywords:
(none) =>
validated_update
Dave Hodgins
2018-01-03 16:03:53 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0049.html Status:
NEW =>
RESOLVED |