Bug 19168 - perl-CGI-Emulate-PSGI new "httpoxy" security issue (CVE-2016-5387)
Summary: perl-CGI-Emulate-PSGI new "httpoxy" security issue (CVE-2016-5387)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/694861/
Whiteboard: MGA5-32-OK advisory
Depends on:
Reported: 2016-08-09 20:41 CEST by David Walser
Modified: 2017-05-19 19:38 CEST (History)
4 users (show)

See Also:
Source RPM: perl-CGI-Emulate-PSGI-0.210.0-3.mga6.src.rpm
Status comment:


Description David Walser 2016-08-09 20:41:27 CEST
Fedora has issued an advisory on August 8:

The security issue is related to the "httpoxy" set of flaws.

The issue is fixed in 0.22.
Comment 1 David Walser 2016-11-17 03:03:29 CET
Fixed in Cauldron by Guillaume (thanks!).
Comment 2 Sander Lepik 2017-05-12 17:07:16 CEST
I have uploaded a patched package for Mageia 5.

I don't know how to test this, but I have confirmad that the patch is applied.

Suggested advisory:

This update removes the setting of the HTTP_PROXY environment value. This works around the httproxy vulnerability (aka CVE-2016-5387)


Updated packages in core/updates_testing:

Source RPM:
Comment 3 Herman Viaene 2017-05-18 10:30:27 CEST
MGA-32 on Asus A6000VM Xfce
No installation issues.
# urpmq --whatrequires perl-CGI-Emulate-PSGI
Installed rt, but seems a complex thing to test.
# strace -o rttest.txt rt-setup-database --action init rttest
In order to create or update your RT database, this script needs to connect to your  mysql instance on localhost as root
Please specify that user's database password below. If the user has no database
password, just press return.

Working with:
Type:	mysql
Host:	localhost
Name:	rt4
User:	rt_user
DBA:	root
Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 270, <STDIN> line 1.
Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 273, <STDIN> line 1.
Now creating a mysql database rt4 for RT.
Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 270, <STDIN> line 1.
Use of uninitialized value $innodb in lc at /usr/lib/perl5/vendor_perl/5.20.1/RT/Handle.pm line 273, <STDIN> line 1.
Now populating database schema.

and then more
Now inserting database ACLs.
Granting access to rt_user@'localhost' on rt4.
Done.Now inserting RT core system objects.
Now inserting data.
Done inserting data.
with above warnings interspersed
But the trace file did not show any call to one of the elements of the test package.
At least nothing seems to broken by the installation.
Comment 4 Lewis Smith 2017-05-18 20:11:15 CEST
Other test possibilities?
 $ urpmq --whatrequires-recursive perl-CGI-Emulate-PSGI | sort | uniq
 ... then a long list of perl-... modules to

mga-mirrors - Mageia Mirrors management
‎    /usr/bin/mga_mirrors_create.pl
‎    /usr/bin/mga_mirrors_fastcgi.pl
‎    /usr/bin/mga_mirrors_server.pl
‎    /usr/bin/mga_mirrors_test.pl
I shall investigate this, in hope. Installing mga-mirrors pulled in 77 pkgs, including the one in question.
Comment 5 Guillaume Rousse 2017-05-19 19:35:07 CEST
As for much perl libraries, there isn't any valid test procedure beside running dedicated unit tests during the build process (make test). Curiously, they are disabled in the spec file, I don't know why, but they work for me.

Just installing a web application that may eventually use it for some unknown purpose (remember: this is an automatic dependency computed by a code parser) doesn't have any added value here. All in all, just forget testing, you're losing your time.

Note You need to log in before you can comment on or make changes to this bug.