Bug 29327

Summary: perl-DBI new security issue CVE-2014-10402
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: perl-DBI-1.643.0-4.mga8.src.rpm CVE: CVE-2014-10402
Status comment:

Description David Walser 2021-08-04 20:00:04 CEST 
Ubuntu has issued an advisory today (August 4):
https://ubuntu.com/security/notices/USN-5030-1

Mageia 8 is also affected.
David Walser 2021-08-04 20:00:41 CEST

Status comment: (none) => Patch available from upstream and Ubuntu
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-08-04 21:11:10 CEST 
This SRPM is maintained by different people, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-09-02 14:02:08 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). (CVE-2014-10402)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10402
https://ubuntu.com/security/notices/USN-5030-1
========================

Updated packages in core/updates_testing:
========================
perl-DBI-ProfileDumper-Apache-1.643.0-4.1.mga8
perl-DBI-1.643.0-4.1.mga8

from SRPM:
perl-DBI-1.643.0-4.1.mga8.src.rpm

Status comment: Patch available from upstream and Ubuntu => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Source RPM: perl-DBI-1.643.0-6.mga9.src.rpm => perl-DBI-1.643.0-4.mga8.src.rpm
Version: Cauldron => 8
CVE: (none) => CVE-2014-10402
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2021-09-30 15:39:39 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
As with other developer tools and in previous updates, OK on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-10-02 05:25:05 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-10-02 19:10:06 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2021-10-02 20:58:47 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0451.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED