| Summary: | perl-Dancer2 several security issues fixed upstream in 0.206 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, davidwhodgins, herman.viaene, marja11, shlomif, sysadmin-bugs, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK | ||
| Source RPM: | perl-Dancer2-0.166.1-2.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | test dancer2 | ||
|
Description
David Walser
2018-06-07 18:47:51 CEST
Assigning to our Perl stack maintainers, CC'ing the registered maintainer. CC:
(none) =>
marja11, shlomif shlomif updated cauldron with 0.206 Status:
NEW =>
ASSIGNED I pushed 0.206 for 6 in core/updates_testing with the deps needed (perl-Type-Tiny, perl-HTTP-XSCookies, perl-HTTP-Headers-Fast) Assignee:
perl =>
qa-bugs Advisory: ======================== Updated perl-Dancer2 package fixes security vulnerabilities: Dancer2 0.206000 addresses several potential security issues. There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed and does not require re-parsing the request body. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/ ======================== Updated packages in core/updates_testing: ======================== perl-Type-Tiny-1.4.2-1.1.mga6 perl-HTTP-XSCookies-0.0.21-1.1.mga6 perl-HTTP-Headers-Fast-0.210.0-1.1.mga6 perl-Dancer2-0.206.0-1.1.mga6 from SRPMS: perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm perl-Dancer2-0.206.0-1.1.mga6.src.rpm Target Milestone:
Mageia 6 =>
--- WWhen I try to select perl-Dancer2 I get: Sorry, the following package is not selectable: - perl-Dancer2-0.206.0-1.1.mga6.noarch (because of unfulfilled perl(Plack)[>= 1.4.0]) CC:
(none) =>
herman.viaene So we'll need to update perl-Plack too. Keywords:
(none) =>
feedback Was trickier than I thought ! So for this perl-Dancer2 update, you now need: perl-WWW-Form-UrlEncoded-0.250.0-1.mga6 perl-JSON-MaybeXS-1.4.0-1.mga6 perl-HTTP-MultiPartParser-0.20.0-1.mga6 perl-HTTP-Entity-Parser-0.210.0-1.mga6 perl-Plack-1.4.700-1.1.mga6 all of them in core/updates_testing Advisory: ======================== Updated perl-Dancer2 package fixes security vulnerabilities: Dancer2 0.206000 addresses several potential security issues. There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed and does not require re-parsing the request body. The perl-Dancer2 package has been updated to version 0.206.0 to fix this issue. Also, the perl-HTTP-XSCookies, perl-WWW-Form-UrlEncoded, perl-HTTP-MultiPartParser, and perl-HTTP-Entity-Parser dependencies have been added and the perl-Type-Tiny, perl-HTTP-Headers-Fast, perl-JSON-MaybeXS, and perl-Plack dependencies have been updated for the new perl-Dancer2 version. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/======================== Updated packages in core/updates_testing: ======================== perl-Type-Tiny-1.4.2-1.1.mga6 perl-HTTP-XSCookies-0.0.21-1.1.mga6 perl-HTTP-Headers-Fast-0.210.0-1.1.mga6 perl-WWW-Form-UrlEncoded-0.250.0-1.mga6 perl-JSON-MaybeXS-1.4.0-1.mga6 perl-HTTP-MultiPartParser-0.20.0-1.mga6 perl-HTTP-Entity-Parser-0.210.0-1.mga6 perl-Plack-1.4.700-1.1.mga6 perl-Dancer2-0.206.0-1.1.mga6 from SRPMS: perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm perl-WWW-Form-UrlEncoded-0.250.0-1.mga6.src.rpm perl-JSON-MaybeXS-1.4.0-1.mga6.src.rpm perl-HTTP-MultiPartParser-0.20.0-1.mga6.src.rpm perl-HTTP-Entity-Parser-0.210.0-1.mga6.src.rpm perl-Plack-1.4.700-1.1.mga6.src.rpm perl-Dancer2-0.206.0-1.1.mga6.src.rpm Keywords:
feedback =>
(none) You also need perl-Cookie-Baker-0.100.0-1.2.mga6 added to mga6 as well. Adding feedback marker as per comment 9 which results in ... # urpmi --test perl-Plack A requested package cannot be installed: perl-Plack-1.4.700-1.1.mga6.noarch (due to unsatisfied perl(Cookie::Baker)[>= 0.70.0]) Keywords:
(none) =>
feedback Advisory: ======================== Updated perl-Dancer2 package fixes security vulnerabilities: Dancer2 0.206000 addresses several potential security issues. There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed and does not require re-parsing the request body. The perl-Dancer2 package has been updated to version 0.206.0 to fix this issue. Also, the perl-HTTP-XSCookies, perl-WWW-Form-UrlEncoded, perl-HTTP-MultiPartParser, and perl-HTTP-Entity-Parser dependencies have been added and the perl-Type-Tiny, perl-HTTP-Headers-Fast, perl-JSON-MaybeXS, perl-Cookie-Baker, and perl-Plack dependencies have been updated for the new perl-Dancer2 version. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/ ======================== Updated packages in core/updates_testing: ======================== perl-Type-Tiny-1.4.2-1.1.mga6 perl-HTTP-XSCookies-0.0.21-1.1.mga6 perl-HTTP-Headers-Fast-0.210.0-1.1.mga6 perl-WWW-Form-UrlEncoded-0.250.0-1.mga6 perl-JSON-MaybeXS-1.4.0-1.mga6 perl-HTTP-MultiPartParser-0.20.0-1.mga6 perl-HTTP-Entity-Parser-0.210.0-1.mga6 perl-Cookie-Baker-0.100.0-1.2.mga6 perl-Plack-1.4.700-1.1.mga6 perl-Dancer2-0.206.0-1.1.mga6 from SRPMS: perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm perl-WWW-Form-UrlEncoded-0.250.0-1.mga6.src.rpm perl-JSON-MaybeXS-1.4.0-1.mga6.src.rpm perl-HTTP-MultiPartParser-0.20.0-1.mga6.src.rpm perl-HTTP-Entity-Parser-0.210.0-1.mga6.src.rpm perl-Cookie-Baker-0.100.0-1.2.mga6.src.rpm perl-Plack-1.4.700-1.1.mga6.src.rpm perl-Dancer2-0.206.0-1.1.mga6.src.rpm Keywords:
feedback =>
(none) MGA6-32 MATE on IBM Thinkpad R50e No installation issues Found very simple example at https://metacpan.org/pod/Dancer2::Tutorial made test file dancertest with example, then at CLI $ perl dancer2test >> Dancer2 v0.206000 server 2096 listening on http://0.0.0.0:3000 and point browser at http://localhost:3000/ which displays "Hello World" Seems OK Created attachment 10438 [details]
test dancer2
Herman Viaene
2018-10-29 16:57:17 CET
Whiteboard:
(none) =>
MGA6-32-OK Validating. Most correct advisory in Comment 11. Keywords:
(none) =>
validated_update
Thomas Backlund
2018-11-03 12:22:55 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0428.html Status:
ASSIGNED =>
RESOLVED |