Bug 23127 - perl-Dancer2 several security issues fixed upstream in 0.206
Summary: perl-Dancer2 several security issues fixed upstream in 0.206
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-07 18:47 CEST by David Walser
Modified: 2018-10-12 01:22 CEST (History)
3 users (show)

See Also:
Source RPM: perl-Dancer2-0.166.1-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-06-07 18:47:51 CEST
Fedora has issued an advisory on May 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/

Mageia 5 is also affected.
Comment 1 Marja Van Waes 2018-06-08 21:14:30 CEST
Assigning to our Perl stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => perl
CC: (none) => marja11, shlomif

Comment 2 Bruno Cornec 2018-10-11 02:01:22 CEST
shlomif updated cauldron with 0.206

CC: (none) => bruno
Status: NEW => ASSIGNED

Comment 3 Bruno Cornec 2018-10-11 02:22:39 CEST
I pushed 0.206 for 6 in core/updates_testing with the deps needed (perl-Type-Tiny, perl-HTTP-XSCookies, perl-HTTP-Headers-Fast)

Target Milestone: --- => Mageia 6
Assignee: perl => qa-bugs

Comment 4 David Walser 2018-10-12 01:22:08 CEST
Advisory:
========================

Updated perl-Dancer2 package fixes security vulnerabilities:

Dancer2 0.206000 addresses several potential security issues. There is a
potential RCE with regards to Storable. Dancer2 adds session ID validation to
the session engine so that session backends based on Storable can reject
malformed session IDs that may lead to exploitation of the RCE. Parsing
requests now uses HTTP::Entity::Parser which reduces the amount of code needed
and does not require re-parsing the request body.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQXVVVJM54QO6NGMMJJH56545OVCFQA4/
========================

Updated packages in core/updates_testing:
========================
perl-Type-Tiny-1.4.2-1.1.mga6
perl-HTTP-XSCookies-0.0.21-1.1.mga6
perl-HTTP-Headers-Fast-0.210.0-1.1.mga6
perl-Dancer2-0.206.0-1.1.mga6

from SRPMS:
perl-Type-Tiny-1.4.2-1.1.mga6.src.rpm
perl-HTTP-XSCookies-0.0.21-1.1.mga6.src.rpm
perl-HTTP-Headers-Fast-0.210.0-1.1.mga6.src.rpm
perl-Dancer2-0.206.0-1.1.mga6.src.rpm

Target Milestone: Mageia 6 => ---


Note You need to log in before you can comment on or make changes to this bug.