Ubuntu has issued an advisory on September 16: https://ubuntu.com/security/notices/USN-4503-1 The issue is fixed upstream in 1.643.
Various maintainers = assign globally!
Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory on September 20: https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00067.html There was an additional issue fixed in 1.643.
Summary: perl-DBI new security issue CVE-2020-14392 => perl-DBI new security issues CVE-2020-14392 and CVE-2020-14393
Ubuntu has issued an advisory today (September 23): https://ubuntu.com/security/notices/USN-4534-1 There was yet another issue fixed in 1.643.
Summary: perl-DBI new security issues CVE-2020-14392 and CVE-2020-14393 => perl-DBI new security issues CVE-2019-20919, CVE-2020-14392, CVE-2020-14393
Fedora has issued an advisory for this today (September 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JXLKODJ7B57GITDEZZXNSHPK4VBYXYHR/
Status comment: (none) => Fixed upstream in 1.643
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference. (CVE-2019-20919) An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability. (CVE-2020-14392) A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data. (CVE-2020-14393) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20919 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14392 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14393 https://ubuntu.com/security/notices/USN-4503-1 https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00067.html https://ubuntu.com/security/notices/USN-4534-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JXLKODJ7B57GITDEZZXNSHPK4VBYXYHR/ ======================== Updated packages in core/updates_testing: ======================== perl-DBI-1.642.0-1.1.mga7 perl-DBI-proxy-1.642.0-1.1.mga7 perl-DBI-ProfileDumper-Apache-1.642.0-1.1.mga7 from SRPM: perl-DBI-1.642.0-1.1.mga7.src.rpm
Status comment: Fixed upstream in 1.643 => (none)Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => nicolas.salguero
Very much out of my area of expertise, but it's been here over 3 weeks, so... perl-DBI was already installed on my system, so I installed the other two packages, too. Updated all three using QA Repo, no installation issues. No idea of how to test, so passing it on with a clean install. Validating. AQdvisory in Comment 5.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
CVE: (none) => CVE-2019-20919, CVE-2020-14392, CVE-2020-14393CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0048.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED