Fedora has issued an advisory on October 12: https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141315.html There are no details on the issue, but I think this announcement for 5.48 is probably related: https://groups.google.com/forum/#!topic/mojolicious/aJTYjRCPjOE Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => jquelinWhiteboard: (none) => MGA4TOO, MGA3TOO
I have no idea what to do about this bug. The second link describes breakage in other modules. Not something I'd suggest. If this is the security issue they fixed then I'm not sure what to do next. I don't want to break working modules, especially if we can't detect which one break and how bad :/ WDYT?
From the upstream discussion, it sounds like a serious issue. Fedora felt comfortable updating it. At the very least, Cauldron should be updated. If you want to give it some time to see how that goes before updating Mageia 4, we can do that. It just means we can't update Mageia 3. I can't imagine it'd have a huge impact though, especially as it's only required by perl-MojoX-Redis and perl-Test-WWW-Mechanize-Mojo and nothing requires those. Anyone using this module should be adapting to the upstream changes anyway to make sure they don't get unknowingly hit by this issue.
So, cauldron got updated to the latest version and I have uploaded 5.49 for Mageia 3 and 4. For testing I found that they have "Getting Started" section on their homepage: http://mojolicio.us - as there is no POC it should be safe to just check that it still works. Suggested advisory: ======================== David, maybe you can help with that :) ======================== Updated packages in core/updates_testing: ======================== perl-Mojolicious-5.490.0-1.mga3.noarch perl-Mojolicious-5.490.0-1.mga4.noarch Source RPMs: perl-Mojolicious-5.490.0-1.mga3.src.rpm perl-Mojolicious-5.490.0-1.mga4.src.rpm
Version: Cauldron => 4Assignee: mageia => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Thanks Sander! Suggested advisory: ======================== Updated perl-Mojolicious package fixes security vulnerability: An assumption in Mojolicious before 5.48 CGI parameter handling that can result in parameter injection attacks. References: https://groups.google.com/forum/#!topic/mojolicious/aJTYjRCPjOE https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141315.html
Installed perl-Mojolicious-5.490.0-1.mga4.noarch on Mageia4-64. I was able to do the test as referenced in Comment 3. No problems encountered , apart from a warning to change the secret passphrase, which I didn't bother about.
CC: (none) => herman.viaeneWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
Tested on Mageia3-64 Current package : perl-Mojolicious-3.940.0-1.mga3 then Update testing package : perl-Mojolicious-5.490.0-1.mga3 using procedure mentionned in comment 3. OK on mageia3-64 (same warning :[debug] Your secret passphrase needs to be changed!!! on both version)
CC: (none) => olchalWhiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA3-64-OK
Validating for inclusion in mga3. Advisory uploaded. Please push to updates
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-64-OK MGA3-64-OK => MGA3TOO advisory has_procedure MGA4-64-OK MGA3-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0488.html
Status: NEW => RESOLVEDResolution: (none) => FIXED