commit 63844185cea5650895489e8d5a27101fea1d6e9e Author: Petr Písař <ppisar@xxxxxxxxxx> Date: Tue Nov 26 14:33:11 2013 +0100 Add a security warning about use of RPC::PlClient DBI-1.630-Security-notice-for-Proxy.patch | 55 +++++++++++++++++++++++++++++ perl-DBI.spec | 8 ++++- 2 files changed, 62 insertions(+), 1 deletions(-) --- diff --git a/DBI-1.630-Security-notice-for-Proxy.patch b/DBI-1.630-Security-notice-for-Proxy.patch new file mode 100644 index 0000000..f79b352 --- /dev/null +++ b/DBI-1.630-Security-notice-for-Proxy.patch @@ -0,0 +1,55 @@ +From cd8fcbbf402e1d70c9f325f8b0fcd99e02cf14be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx> +Date: Mon, 18 Nov 2013 12:52:09 +0100 +Subject: [PATCH] Security notice for Proxy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PlRPC is not secure due to Storable. Warn Proxy users about it. + +Signed-off-by: Petr Písař <ppisar@xxxxxxxxxx> +--- + lib/DBD/Proxy.pm | 7 +++++++ + lib/DBI/ProxyServer.pm | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/lib/DBD/Proxy.pm b/lib/DBD/Proxy.pm +index 287b2dc..5948255 100644 +--- a/lib/DBD/Proxy.pm ++++ b/lib/DBD/Proxy.pm +@@ -974,6 +974,13 @@ The workaround is storing the modified local copy back to the server: + $dbh->{"csv_tables"} = $tables; + + ++=head1 SECURITY WARNING ++ ++L<RPC::PlClient> used underneath is not secure due to serializing and ++deserializing data with L<Storable> module. Use the proxy driver only in ++trusted environment. ++ ++ + =head1 AUTHOR AND COPYRIGHT + + This module is Copyright (c) 1997, 1998 +diff --git a/lib/DBI/ProxyServer.pm b/lib/DBI/ProxyServer.pm +index 68ad4af..78a0d78 100644 +--- a/lib/DBI/ProxyServer.pm ++++ b/lib/DBI/ProxyServer.pm +@@ -867,6 +867,13 @@ Don't try to put parameters into the sql-query like this: + =back + + ++=head1 SECURITY WARNING ++ ++L<RPC::PlServer> used underneath is not secure due to serializing and ++deserializing data with L<Storable> module. Use the proxy driver only in ++trusted environment. ++ ++ + =head1 AUTHOR + + Copyright (c) 1997 Jochen Wiedmann +-- +1.8.3.1 + diff --git a/perl-DBI.spec b/perl-DBI.spec index 4e87dcf..a009e9a 100644 --- a/perl-DBI.spec +++ b/perl-DBI.spec @@ -8,12 +8,14 @@ Name: perl-DBI Version: 1.630 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A database access API for perl Group: Development/Libraries License: GPL+ or Artistic URL: http://dbi.perl.org/ Source0: http://www.cpan.org/authors/id/T/TI/TIMB/DBI-%{version}.tar.gz +# Add a security warning about use of RPC::PlClient, bug #1030578, CPAN RT#90475 +Patch0: DBI-1.630-Security-notice-for-Proxy.patch BuildRequires: perl BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(File::Find) @@ -95,6 +97,7 @@ database interface independent of the actual database being used. %prep %setup -q -n DBI-%{version} +%patch0 -p1 iconv -f iso8859-1 -t utf-8 lib/DBD/Gofer.pm >lib/DBD/Gofer.pm.new && mv lib/DBD/Gofer.pm{.new,} chmod 644 ex/* @@ -138,6 +141,9 @@ make test %{_mandir}/man3/*.3* %changelog +* Tue Nov 26 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 1.630-2 +- Add a security warning about use of RPC::PlClient (bug #1030578) + * Tue Oct 29 2013 Jitka Plesnikova <jplesnik@xxxxxxxxxx> - 1.630-1 - 1.630 bump -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel