Bug 31678 - perl-Net-Server new security issue CVE-2013-1841
Summary: perl-Net-Server new security issue CVE-2013-1841
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-03-15 15:51 CET by David Walser
Modified: 2023-03-31 02:15 CEST (History)
5 users (show)

See Also:
Source RPM: perl-Net-Server-2.9.0-5.mga8.src.rpm
CVE: CVE-2013-1841
Status comment:

Attachments
skeleton command to be located in ~/bin (154 bytes, application/x-perl)
2023-03-28 14:52 CEST, Herman Viaene 		Details
skeleton server to be located in ~/lib (135 bytes, application/x-perl)
2023-03-28 14:53 CEST, Herman Viaene 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-03-15 15:51:17 CET 
SUSE has issued an advisory today (March 15):
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014043.html

The issue is fixed upstream in 2.011.
Comment 1 Nicolas Salguero 2023-03-16 13:26:21 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Net-Server, when the reverse-lookups option is enabled, does not check if the hostname resolves to the source IP address, which might allow remote attackers to bypass ACL restrictions via the hostname parameter. (CVE-2013-1841)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1841
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014043.html
========================

Updated package in core/updates_testing:
========================
perl-Net-Server-2.9.0-5.1.mga8

from SRPM:
perl-Net-Server-2.9.0-5.1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2013-1841
CC: (none) => nicolas.salguero

Comment 2 Herman Viaene 2023-03-28 14:51:14 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No wiki or previous updates, tried # urpmq --whatrequires perl-Net-Server
amavisd-new
cyrus-imapd
cyrus-imapd
getlive
munin-node
perl-Daemon-Whois
perl-Net-Server
perl-Net-Server
perl-Net-Server-Coro
perl-Starman
perl-Tapper-Reports-API
postgrey

But none of those seemed an easy way to get at something.
Googled and found https://perlmaven.com/getting-started-with-net-server and followed the first example with success.
$ perl bin/skeleton.pl 
2023/03/28-14:40:30 SkeletonServer (type Net::Server) starting! pid(9126)
Resolved [*]:8000 to [0.0.0.0]:8000, IPv4
Binding to TCP port 8000 on host 0.0.0.0 with IPv4
Group Not Defined.  Defaulting to EGID '1000 953 1000'
User Not Defined.  Defaulting to EUID '1000'
^C2023/03/28-14:40:55 Server closing!
 I will attach the files as I created them. Note: the page is not very clear in it, but I thought to understand and tested that the bin and lib folders are to be located in the users home (bin existing before, lib having to be created.
When you follow the file names in the page, the command line to test is not correct, it is as listed above.

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2023-03-28 14:52:22 CEST 
Created attachment 13754 [details]
skeleton command to be located in ~/bin
Comment 4 Herman Viaene 2023-03-28 14:53:20 CEST 
Created attachment 13755 [details]
skeleton server to be located in ~/lib
Herman Viaene 2023-03-28 14:53:42 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2023-03-29 16:27:28 CEST 
Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-29 17:15:23 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2023-03-31 02:15:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0120.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.