Bug 23127 - perl-Dancer2 several security issues fixed upstream in 0.206
Summary: perl-Dancer2 several security issues fixed upstream in 0.206
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-07 18:47 CEST by David Walser
Modified: 2018-11-03 12:56 CET (History)
8 users (show)

See Also:
Source RPM: perl-Dancer2-0.166.1-2.mga6.src.rpm
CVE:
Status comment:


Attachments
test dancer2 (69 bytes, text/plain)
2018-10-29 16:57 CET, Herman Viaene
Details

Description David Walser 2018-06-07 18:47:51 CEST
Fedora has issued an advisory on May 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/

Mageia 5 is also affected.
Comment 1 Marja Van Waes 2018-06-08 21:14:30 CEST
Assigning to our Perl stack maintainers, CC'ing the registered maintainer.

CC: (none) => marja11, shlomif
Assignee: bugsquad => perl

Comment 2 Bruno Cornec 2018-10-11 02:01:22 CEST
shlomif updated cauldron with 0.206

Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 3 Bruno Cornec 2018-10-11 02:22:39 CEST
I pushed 0.206 for 6 in core/updates_testing with the deps needed (perl-Type-Tiny, perl-HTTP-XSCookies, perl-HTTP-Headers-Fast)

Assignee: perl => qa-bugs
Target Milestone: --- => Mageia 6

Comment 4 David Walser 2018-10-12 01:22:08 CEST
Advisory:
========================

Updated perl-Dancer2 package fixes security vulnerabilities:

Dancer2 0.206000 addresses several potential security issues. There is a
potential RCE with regards to Storable. Dancer2 adds session ID validation to
the session engine so that session backends based on Storable can reject
malformed session IDs that may lead to exploitation of the RCE. Parsing
requests now uses HTTP::Entity::Parser which reduces the amount of code needed
and does not require re-parsing the request body.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/
========================

Updated packages in core/updates_testing:
========================
perl-Type-Tiny-1.4.2-1.1.mga6
perl-HTTP-XSCookies-0.0.21-1.1.mga6
perl-HTTP-Headers-Fast-0.210.0-1.1.mga6
perl-Dancer2-0.206.0-1.1.mga6

from SRPMS:
perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm
perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm
perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm
perl-Dancer2-0.206.0-1.1.mga6.src.rpm

Target Milestone: Mageia 6 => ---

Comment 5 Herman Viaene 2018-10-25 16:26:09 CEST
WWhen I try to select perl-Dancer2 I get:
Sorry, the following package is not selectable:

- perl-Dancer2-0.206.0-1.1.mga6.noarch (because of  unfulfilled perl(Plack)[>= 1.4.0])

CC: (none) => herman.viaene

Comment 6 David Walser 2018-10-25 16:40:06 CEST
So we'll need to update perl-Plack too.

Keywords: (none) => feedback

Comment 7 Bruno Cornec 2018-10-26 00:46:56 CEST
Was trickier than I thought !

So for this perl-Dancer2 update, you now need:

perl-WWW-Form-UrlEncoded-0.250.0-1.mga6
perl-JSON-MaybeXS-1.4.0-1.mga6
perl-HTTP-MultiPartParser-0.20.0-1.mga6
perl-HTTP-Entity-Parser-0.210.0-1.mga6
perl-Plack-1.4.700-1.1.mga6

all of them in core/updates_testing
Comment 8 David Walser 2018-10-26 01:34:23 CEST
Advisory:
========================

Updated perl-Dancer2 package fixes security vulnerabilities:

Dancer2 0.206000 addresses several potential security issues. There is a
potential RCE with regards to Storable. Dancer2 adds session ID validation to
the session engine so that session backends based on Storable can reject
malformed session IDs that may lead to exploitation of the RCE. Parsing
requests now uses HTTP::Entity::Parser which reduces the amount of code needed
and does not require re-parsing the request body.

The perl-Dancer2 package has been updated to version 0.206.0 to fix this issue.

Also, the perl-HTTP-XSCookies, perl-WWW-Form-UrlEncoded,
perl-HTTP-MultiPartParser, and perl-HTTP-Entity-Parser dependencies have been
added and the perl-Type-Tiny, perl-HTTP-Headers-Fast, perl-JSON-MaybeXS, and
perl-Plack dependencies have been updated for the new perl-Dancer2 version.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/========================

Updated packages in core/updates_testing:
========================
perl-Type-Tiny-1.4.2-1.1.mga6
perl-HTTP-XSCookies-0.0.21-1.1.mga6
perl-HTTP-Headers-Fast-0.210.0-1.1.mga6
perl-WWW-Form-UrlEncoded-0.250.0-1.mga6
perl-JSON-MaybeXS-1.4.0-1.mga6
perl-HTTP-MultiPartParser-0.20.0-1.mga6
perl-HTTP-Entity-Parser-0.210.0-1.mga6
perl-Plack-1.4.700-1.1.mga6
perl-Dancer2-0.206.0-1.1.mga6

from SRPMS:
perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm
perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm
perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm
perl-WWW-Form-UrlEncoded-0.250.0-1.mga6.src.rpm
perl-JSON-MaybeXS-1.4.0-1.mga6.src.rpm
perl-HTTP-MultiPartParser-0.20.0-1.mga6.src.rpm
perl-HTTP-Entity-Parser-0.210.0-1.mga6.src.rpm
perl-Plack-1.4.700-1.1.mga6.src.rpm
perl-Dancer2-0.206.0-1.1.mga6.src.rpm

Keywords: feedback => (none)

Comment 9 Bruno Cornec 2018-10-26 11:10:03 CEST
You also need perl-Cookie-Baker-0.100.0-1.2.mga6 added to mga6 as well.
Comment 10 Dave Hodgins 2018-10-26 15:24:16 CEST
Adding feedback marker as per comment 9 which results in ...
# urpmi --test perl-Plack
A requested package cannot be installed:
perl-Plack-1.4.700-1.1.mga6.noarch (due to unsatisfied perl(Cookie::Baker)[>= 0.70.0])

Keywords: (none) => feedback
CC: (none) => davidwhodgins

Comment 11 David Walser 2018-10-26 16:08:32 CEST
Advisory:
========================

Updated perl-Dancer2 package fixes security vulnerabilities:

Dancer2 0.206000 addresses several potential security issues. There is a
potential RCE with regards to Storable. Dancer2 adds session ID validation to
the session engine so that session backends based on Storable can reject
malformed session IDs that may lead to exploitation of the RCE. Parsing
requests now uses HTTP::Entity::Parser which reduces the amount of code needed
and does not require re-parsing the request body.

The perl-Dancer2 package has been updated to version 0.206.0 to fix this issue.

Also, the perl-HTTP-XSCookies, perl-WWW-Form-UrlEncoded,
perl-HTTP-MultiPartParser, and perl-HTTP-Entity-Parser dependencies have been
added and the perl-Type-Tiny, perl-HTTP-Headers-Fast, perl-JSON-MaybeXS,
perl-Cookie-Baker, and perl-Plack dependencies have been updated for the new
perl-Dancer2 version.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/
========================

Updated packages in core/updates_testing:
========================
perl-Type-Tiny-1.4.2-1.1.mga6
perl-HTTP-XSCookies-0.0.21-1.1.mga6
perl-HTTP-Headers-Fast-0.210.0-1.1.mga6
perl-WWW-Form-UrlEncoded-0.250.0-1.mga6
perl-JSON-MaybeXS-1.4.0-1.mga6
perl-HTTP-MultiPartParser-0.20.0-1.mga6
perl-HTTP-Entity-Parser-0.210.0-1.mga6
perl-Cookie-Baker-0.100.0-1.2.mga6
perl-Plack-1.4.700-1.1.mga6
perl-Dancer2-0.206.0-1.1.mga6

from SRPMS:
perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm
perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm
perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm
perl-WWW-Form-UrlEncoded-0.250.0-1.mga6.src.rpm
perl-JSON-MaybeXS-1.4.0-1.mga6.src.rpm
perl-HTTP-MultiPartParser-0.20.0-1.mga6.src.rpm
perl-HTTP-Entity-Parser-0.210.0-1.mga6.src.rpm
perl-Cookie-Baker-0.100.0-1.2.mga6.src.rpm
perl-Plack-1.4.700-1.1.mga6.src.rpm
perl-Dancer2-0.206.0-1.1.mga6.src.rpm

Keywords: feedback => (none)

Comment 12 Herman Viaene 2018-10-29 16:56:07 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Found very simple example at https://metacpan.org/pod/Dancer2::Tutorial
made test file dancertest with example, then at CLI
$ perl dancer2test 
>> Dancer2 v0.206000 server 2096 listening on http://0.0.0.0:3000

and point browser at http://localhost:3000/ which displays "Hello World"
Seems OK
Comment 13 Herman Viaene 2018-10-29 16:57:01 CET
Created attachment 10438 [details]
test dancer2
Herman Viaene 2018-10-29 16:57:17 CET

Whiteboard: (none) => MGA6-32-OK

Comment 14 Thomas Andrews 2018-11-02 19:51:06 CET
Validating. Most correct advisory in Comment 11.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-11-03 12:22:55 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 15 Mageia Robot 2018-11-03 12:56:23 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0428.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.