| Summary: | perl-DBI new security issues CVE-2019-20919, CVE-2020-14392, CVE-2020-14393 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, nicolas.salguero, ouaurelien, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | perl-DBI-1.642.0-1.mga7.src.rpm | CVE: | CVE-2019-20919, CVE-2020-14392, CVE-2020-14393 |
| Status comment: | |||
|
Description
David Walser
2020-09-22 20:09:12 CEST
Various maintainers = assign globally! Assignee:
bugsquad =>
pkg-bugs openSUSE has issued an advisory on September 20: https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00067.html There was an additional issue fixed in 1.643. Summary:
perl-DBI new security issue CVE-2020-14392 =>
perl-DBI new security issues CVE-2020-14392 and CVE-2020-14393 Ubuntu has issued an advisory today (September 23): https://ubuntu.com/security/notices/USN-4534-1 There was yet another issue fixed in 1.643. Summary:
perl-DBI new security issues CVE-2020-14392 and CVE-2020-14393 =>
perl-DBI new security issues CVE-2019-20919, CVE-2020-14392, CVE-2020-14393 Fedora has issued an advisory for this today (September 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JXLKODJ7B57GITDEZZXNSHPK4VBYXYHR/
David Walser
2020-12-28 18:59:07 CET
Status comment:
(none) =>
Fixed upstream in 1.643 Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference. (CVE-2019-20919) An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability. (CVE-2020-14392) A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data. (CVE-2020-14393) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20919 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14392 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14393 https://ubuntu.com/security/notices/USN-4503-1 https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00067.html https://ubuntu.com/security/notices/USN-4534-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JXLKODJ7B57GITDEZZXNSHPK4VBYXYHR/ ======================== Updated packages in core/updates_testing: ======================== perl-DBI-1.642.0-1.1.mga7 perl-DBI-proxy-1.642.0-1.1.mga7 perl-DBI-ProfileDumper-Apache-1.642.0-1.1.mga7 from SRPM: perl-DBI-1.642.0-1.1.mga7.src.rpm Status comment:
Fixed upstream in 1.643 =>
(none) Very much out of my area of expertise, but it's been here over 3 weeks, so... perl-DBI was already installed on my system, so I installed the other two packages, too. Updated all three using QA Repo, no installation issues. No idea of how to test, so passing it on with a clean install. Validating. AQdvisory in Comment 5. Keywords:
(none) =>
validated_update Advisory pushed to SVN. CVE:
(none) =>
CVE-2019-20919, CVE-2020-14392, CVE-2020-14393 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0048.html Resolution:
(none) =>
FIXED |