Fedora has issued an advisory on May 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/ Mageia 5 is also affected.
Assigning to our Perl stack maintainers, CC'ing the registered maintainer.
CC: (none) => marja11, shlomifAssignee: bugsquad => perl
shlomif updated cauldron with 0.206
Status: NEW => ASSIGNEDCC: (none) => bruno
I pushed 0.206 for 6 in core/updates_testing with the deps needed (perl-Type-Tiny, perl-HTTP-XSCookies, perl-HTTP-Headers-Fast)
Assignee: perl => qa-bugsTarget Milestone: --- => Mageia 6
Advisory: ======================== Updated perl-Dancer2 package fixes security vulnerabilities: Dancer2 0.206000 addresses several potential security issues. There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed and does not require re-parsing the request body. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/ ======================== Updated packages in core/updates_testing: ======================== perl-Type-Tiny-1.4.2-1.1.mga6 perl-HTTP-XSCookies-0.0.21-1.1.mga6 perl-HTTP-Headers-Fast-0.210.0-1.1.mga6 perl-Dancer2-0.206.0-1.1.mga6 from SRPMS: perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm perl-Dancer2-0.206.0-1.1.mga6.src.rpm
Target Milestone: Mageia 6 => ---
WWhen I try to select perl-Dancer2 I get: Sorry, the following package is not selectable: - perl-Dancer2-0.206.0-1.1.mga6.noarch (because of unfulfilled perl(Plack)[>= 1.4.0])
CC: (none) => herman.viaene
So we'll need to update perl-Plack too.
Keywords: (none) => feedback
Was trickier than I thought ! So for this perl-Dancer2 update, you now need: perl-WWW-Form-UrlEncoded-0.250.0-1.mga6 perl-JSON-MaybeXS-1.4.0-1.mga6 perl-HTTP-MultiPartParser-0.20.0-1.mga6 perl-HTTP-Entity-Parser-0.210.0-1.mga6 perl-Plack-1.4.700-1.1.mga6 all of them in core/updates_testing
Advisory: ======================== Updated perl-Dancer2 package fixes security vulnerabilities: Dancer2 0.206000 addresses several potential security issues. There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed and does not require re-parsing the request body. The perl-Dancer2 package has been updated to version 0.206.0 to fix this issue. Also, the perl-HTTP-XSCookies, perl-WWW-Form-UrlEncoded, perl-HTTP-MultiPartParser, and perl-HTTP-Entity-Parser dependencies have been added and the perl-Type-Tiny, perl-HTTP-Headers-Fast, perl-JSON-MaybeXS, and perl-Plack dependencies have been updated for the new perl-Dancer2 version. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/======================== Updated packages in core/updates_testing: ======================== perl-Type-Tiny-1.4.2-1.1.mga6 perl-HTTP-XSCookies-0.0.21-1.1.mga6 perl-HTTP-Headers-Fast-0.210.0-1.1.mga6 perl-WWW-Form-UrlEncoded-0.250.0-1.mga6 perl-JSON-MaybeXS-1.4.0-1.mga6 perl-HTTP-MultiPartParser-0.20.0-1.mga6 perl-HTTP-Entity-Parser-0.210.0-1.mga6 perl-Plack-1.4.700-1.1.mga6 perl-Dancer2-0.206.0-1.1.mga6 from SRPMS: perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm perl-WWW-Form-UrlEncoded-0.250.0-1.mga6.src.rpm perl-JSON-MaybeXS-1.4.0-1.mga6.src.rpm perl-HTTP-MultiPartParser-0.20.0-1.mga6.src.rpm perl-HTTP-Entity-Parser-0.210.0-1.mga6.src.rpm perl-Plack-1.4.700-1.1.mga6.src.rpm perl-Dancer2-0.206.0-1.1.mga6.src.rpm
Keywords: feedback => (none)
You also need perl-Cookie-Baker-0.100.0-1.2.mga6 added to mga6 as well.
Adding feedback marker as per comment 9 which results in ... # urpmi --test perl-Plack A requested package cannot be installed: perl-Plack-1.4.700-1.1.mga6.noarch (due to unsatisfied perl(Cookie::Baker)[>= 0.70.0])
Keywords: (none) => feedbackCC: (none) => davidwhodgins
Advisory: ======================== Updated perl-Dancer2 package fixes security vulnerabilities: Dancer2 0.206000 addresses several potential security issues. There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed and does not require re-parsing the request body. The perl-Dancer2 package has been updated to version 0.206.0 to fix this issue. Also, the perl-HTTP-XSCookies, perl-WWW-Form-UrlEncoded, perl-HTTP-MultiPartParser, and perl-HTTP-Entity-Parser dependencies have been added and the perl-Type-Tiny, perl-HTTP-Headers-Fast, perl-JSON-MaybeXS, perl-Cookie-Baker, and perl-Plack dependencies have been updated for the new perl-Dancer2 version. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/ ======================== Updated packages in core/updates_testing: ======================== perl-Type-Tiny-1.4.2-1.1.mga6 perl-HTTP-XSCookies-0.0.21-1.1.mga6 perl-HTTP-Headers-Fast-0.210.0-1.1.mga6 perl-WWW-Form-UrlEncoded-0.250.0-1.mga6 perl-JSON-MaybeXS-1.4.0-1.mga6 perl-HTTP-MultiPartParser-0.20.0-1.mga6 perl-HTTP-Entity-Parser-0.210.0-1.mga6 perl-Cookie-Baker-0.100.0-1.2.mga6 perl-Plack-1.4.700-1.1.mga6 perl-Dancer2-0.206.0-1.1.mga6 from SRPMS: perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm perl-WWW-Form-UrlEncoded-0.250.0-1.mga6.src.rpm perl-JSON-MaybeXS-1.4.0-1.mga6.src.rpm perl-HTTP-MultiPartParser-0.20.0-1.mga6.src.rpm perl-HTTP-Entity-Parser-0.210.0-1.mga6.src.rpm perl-Cookie-Baker-0.100.0-1.2.mga6.src.rpm perl-Plack-1.4.700-1.1.mga6.src.rpm perl-Dancer2-0.206.0-1.1.mga6.src.rpm
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Found very simple example at https://metacpan.org/pod/Dancer2::Tutorial made test file dancertest with example, then at CLI $ perl dancer2test >> Dancer2 v0.206000 server 2096 listening on http://0.0.0.0:3000 and point browser at http://localhost:3000/ which displays "Hello World" Seems OK
Created attachment 10438 [details] test dancer2
Whiteboard: (none) => MGA6-32-OK
Validating. Most correct advisory in Comment 11.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0428.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED