Created attachment 11566 [details] Fix taint issue in Template/Provider.pm As reported upstream [1] (and first discovered by the GCC team [2]), Bugzilla doesn't work correctly when used with the 2.x version of Template-Toolkit on newer versions of perl (2.26 and newer). Upgrading to version 3.000 or higher fixes the problem. As reported on github [3], TT 3 has a taint issue, and so a trivial fix is needed to stop filling the web server log. I attached a patch which fixes the problem. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1625554 [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94349 [3] https://github.com/abw/Template2/issues/258
Assignee: bugsquad => shlomifCC: (none) => thierry.vignaud
I see that shlomif pushed 3.007 to Mageia 7 updates_testing. Thank you for that! Meanwhile, 3.008 has been released which fixes this taint issue, and it has been pushed to Mageia 8 by tv. Could it be pushed to Mageia 7 too, so that we don't need our own hack anymore?
(In reply to Frédéric "LpSolit" Buclin from comment #1) > I see that shlomif pushed 3.007 to Mageia 7 updates_testing. Thank you for > that! Meanwhile, 3.008 has been released which fixes this taint issue, and > it has been pushed to Mageia 8 by tv. Could it be pushed to Mageia 7 too, so > that we don't need our own hack anymore? built 3.008 for 7/updates-testing, thanks! http://pkgsubmit.mageia.org/ .
(In reply to Shlomi Fish from comment #2) > (In reply to Frédéric "LpSolit" Buclin from comment #1) > > I see that shlomif pushed 3.007 to Mageia 7 updates_testing. Thank you for > > that! Meanwhile, 3.008 has been released which fixes this taint issue, and > > it has been pushed to Mageia 8 by tv. Could it be pushed to Mageia 7 too, so > > that we don't need our own hack anymore? > > built 3.008 for 7/updates-testing, thanks! http://pkgsubmit.mageia.org/ . Assigning to QA. Note that there are reverse deps to test using: ``` #! /bin/bash # # test.bash # # derived from https://github.com/metacpan/metacpan-api/blob/master/docs/API-docs.md # Shlomi Fish puts his changes under CC-Zero. # curl -XPOST https://fastapi.metacpan.org/v1/release/_search -d '{ "size": 5000, "fields": [ "distribution" ], "filter": { "and": [ { "term": { "dependency.module": "Template" } }, { "term": {"maturity": "released"} }, { "term": {"status": "latest"} } ] } }' ```
Assignee: shlomif => qa-bugs
Found perl-Template-Toolkit 3.8.0 on the updates testing, installed it with no apparent setbacks when installing a few extra packages for Libreoffice. Is that what this is all about???
CC: (none) => herman.viaene
Tested on Mageia 7 with Bugzilla 5.0.4 and 5.1.2. Problem fixed.
Looks like this should be cleared. Adding the OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Some advisory information in Comment 0.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2020-0157.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED