Bug 14345 - perl-Mojolicious new security issue fixed upstream in 5.49
Summary: perl-Mojolicious new security issue fixed upstream in 5.49
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/617642/
Whiteboard: MGA3TOO advisory has_procedure MGA4-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-22 19:36 CEST by David Walser
Modified: 2014-11-26 18:29 CET (History)
4 users (show)

See Also:
Source RPM: perl-Mojolicious-5.390.0-5.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-10-22 19:36:44 CEST
Fedora has issued an advisory on October 12:
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141315.html

There are no details on the issue, but I think this announcement for 5.48 is probably related:
https://groups.google.com/forum/#!topic/mojolicious/aJTYjRCPjOE

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-22 19:36:57 CEST

CC: (none) => jquelin
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Sander Lepik 2014-11-23 18:36:23 CET
I have no idea what to do about this bug. The second link describes breakage in other modules. Not something I'd suggest. If this is the security issue they fixed then I'm not sure what to do next. I don't want to break working modules, especially if we can't detect which one break and how bad :/

WDYT?
Comment 2 David Walser 2014-11-23 18:42:34 CET
From the upstream discussion, it sounds like a serious issue.  Fedora felt comfortable updating it.  At the very least, Cauldron should be updated.  If you want to give it some time to see how that goes before updating Mageia 4, we can do that.  It just means we can't update Mageia 3.  I can't imagine it'd have a huge impact though, especially as it's only required by perl-MojoX-Redis and perl-Test-WWW-Mechanize-Mojo and nothing requires those.  Anyone using this module should be adapting to the upstream changes anyway to make sure they don't get unknowingly hit by this issue.
Comment 3 Sander Lepik 2014-11-24 22:46:23 CET
So, cauldron got updated to the latest version and I have uploaded 5.49 for Mageia 3 and 4.

For testing I found that they have "Getting Started" section on their homepage: http://mojolicio.us - as there is no POC it should be safe to just check that it still works.

Suggested advisory:
========================

David, maybe you can help with that :)
========================

Updated packages in core/updates_testing:
========================
perl-Mojolicious-5.490.0-1.mga3.noarch
perl-Mojolicious-5.490.0-1.mga4.noarch

Source RPMs:
perl-Mojolicious-5.490.0-1.mga3.src.rpm
perl-Mojolicious-5.490.0-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: mageia => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 4 David Walser 2014-11-24 22:53:37 CET
Thanks Sander!

Suggested advisory:
========================

Updated perl-Mojolicious package fixes security vulnerability:

An assumption in Mojolicious before 5.48 CGI parameter handling that can
result in parameter injection attacks.

References:
https://groups.google.com/forum/#!topic/mojolicious/aJTYjRCPjOE
https://lists.fedoraproject.org/pipermail/package-announce/2014-October/141315.html
Comment 5 Herman Viaene 2014-11-25 11:00:58 CET
Installed perl-Mojolicious-5.490.0-1.mga4.noarch on Mageia4-64.
I was able to do the test as referenced in Comment 3.
No problems encountered , apart from a warning to change the secret passphrase, which I didn't bother about.

CC: (none) => herman.viaene
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 6 olivier charles 2014-11-25 15:46:35 CET
Tested on Mageia3-64

Current package :
perl-Mojolicious-3.940.0-1.mga3
then
Update testing package :
perl-Mojolicious-5.490.0-1.mga3

using procedure mentionned in comment 3.

OK on mageia3-64 (same warning :[debug] Your secret passphrase needs to be changed!!! on both version)

CC: (none) => olchal
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA3-64-OK

Comment 7 claire robinson 2014-11-26 11:29:27 CET
Validating for inclusion in mga3. Advisory uploaded.

Please push to updates

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-64-OK MGA3-64-OK => MGA3TOO advisory has_procedure MGA4-64-OK MGA3-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2014-11-26 18:29:55 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0488.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.