Fedora has issued an advisory on August 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/ The security issue is related to the "httpoxy" set of flaws. The issue is fixed in 0.22.
Whiteboard: (none) => MGA5TOO
Fixed in Cauldron by Guillaume (thanks!).
CC: (none) => guillomovitchVersion: Cauldron => 5Summary: perl-CGI-Emulate-PSGI new "httpoxy" security issue => perl-CGI-Emulate-PSGI new "httpoxy" security issue (CVE-2016-5387)Whiteboard: MGA5TOO => (none)
I have uploaded a patched package for Mageia 5. I don't know how to test this, but I have confirmad that the patch is applied. Suggested advisory: ======================== This update removes the setting of the HTTP_PROXY environment value. This works around the httproxy vulnerability (aka CVE-2016-5387) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/ ======================== Updated packages in core/updates_testing: ======================== perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5 Source RPM: perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5.src.rpm
Assignee: mageia => qa-bugs
MGA-32 on Asus A6000VM Xfce No installation issues. # urpmq --whatrequires perl-CGI-Emulate-PSGI perl-CGI-Emulate-PSGI perl-CGI-Emulate-PSGI perl-Plack perl-Plack rt Installed rt, but seems a complex thing to test. At CLI: # strace -o rttest.txt rt-setup-database --action init rttest In order to create or update your RT database, this script needs to connect to your mysql instance on localhost as root Please specify that user's database password below. If the user has no database password, just press return. Password: Working with: Type: mysql Host: localhost Name: rt4 User: rt_user DBA: root Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 270, <STDIN> line 1. Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 273, <STDIN> line 1. Now creating a mysql database rt4 for RT. Done. Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 270, <STDIN> line 1. Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 273, <STDIN> line 1. Now populating database schema. Done. and then more Now inserting database ACLs. Granting access to rt_user@'localhost' on rt4. Done.Now inserting RT core system objects. Done. Now inserting data. Done inserting data. Done. with above warnings interspersed But the trace file did not show any call to one of the elements of the test package. At least nothing seems to broken by the installation.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Other test possibilities? $ urpmq --whatrequires-recursive perl-CGI-Emulate-PSGI | sort | uniq mga-mirrors perl-Catalyst-Action-RenderView ... then a long list of perl-... modules to perl-Twiggy rt mga-mirrors - Mageia Mirrors management /usr/bin/check_mirror /usr/bin/mga_mirrors_cgi.pl /usr/bin/mga_mirrors_create.pl /usr/bin/mga_mirrors_fastcgi.pl /usr/bin/mga_mirrors_server.pl /usr/bin/mga_mirrors_test.pl I shall investigate this, in hope. Installing mga-mirrors pulled in 77 pkgs, including the one in question.
CC: (none) => lewyssmith
As for much perl libraries, there isn't any valid test procedure beside running dedicated unit tests during the build process (make test). Curiously, they are disabled in the spec file, I don't know why, but they work for me. Just installing a web application that may eventually use it for some unknown purpose (remember: this is an automatic dependency computed by a code parser) doesn't have any added value here. All in all, just forget testing, you're losing your time.
Whiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => davidwhodgins
(In reply to Guillaume Rousse from comment #5) > As for much perl libraries, there isn't any valid test procedure beside > running dedicated unit tests during the build process (make test). > Curiously, they are disabled in the spec file, I don't know why, but they > work for me. > > All in all, just forget testing, you're losing your time. Gillaume: thank you for this helpful & frank advice! M5x64 I had indeed wasted hours messing with the binaries noted in Comment 4, $ mga_mirrors_server.pl -help being the only one worth looking at. Another one invites the installation of something from CPAN; DO NOT DO THAT - the consequences are dire. perl-CGI-Emulate-PSGI-0.200.0-5.1.mga5 So I just went for a clean update, which it was; That will have to do. Validating; advisory already registered.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0146.html
Status: NEW => RESOLVEDResolution: (none) => FIXED