[perl-DBI] Add a security warning about use of RPC::PlClient

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



commit 63844185cea5650895489e8d5a27101fea1d6e9e
Author: Petr Písař <ppisar@xxxxxxxxxx>
Date:   Tue Nov 26 14:33:11 2013 +0100

    Add a security warning about use of RPC::PlClient

 DBI-1.630-Security-notice-for-Proxy.patch |   55 +++++++++++++++++++++++++++++
 perl-DBI.spec                             |    8 ++++-
 2 files changed, 62 insertions(+), 1 deletions(-)
---
diff --git a/DBI-1.630-Security-notice-for-Proxy.patch b/DBI-1.630-Security-notice-for-Proxy.patch
new file mode 100644
index 0000000..f79b352
--- /dev/null
+++ b/DBI-1.630-Security-notice-for-Proxy.patch
@@ -0,0 +1,55 @@
+From cd8fcbbf402e1d70c9f325f8b0fcd99e02cf14be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx>
+Date: Mon, 18 Nov 2013 12:52:09 +0100
+Subject: [PATCH] Security notice for Proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+PlRPC is not secure due to Storable. Warn Proxy users about it.
+
+Signed-off-by: Petr Písař <ppisar@xxxxxxxxxx>
+---
+ lib/DBD/Proxy.pm       | 7 +++++++
+ lib/DBI/ProxyServer.pm | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/lib/DBD/Proxy.pm b/lib/DBD/Proxy.pm
+index 287b2dc..5948255 100644
+--- a/lib/DBD/Proxy.pm
++++ b/lib/DBD/Proxy.pm
+@@ -974,6 +974,13 @@ The workaround is storing the modified local copy back to the server:
+   $dbh->{"csv_tables"} = $tables;
+ 
+ 
++=head1 SECURITY WARNING
++
++L<RPC::PlClient> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR AND COPYRIGHT
+ 
+ This module is Copyright (c) 1997, 1998
+diff --git a/lib/DBI/ProxyServer.pm b/lib/DBI/ProxyServer.pm
+index 68ad4af..78a0d78 100644
+--- a/lib/DBI/ProxyServer.pm
++++ b/lib/DBI/ProxyServer.pm
+@@ -867,6 +867,13 @@ Don't try to put parameters into the sql-query like this:
+ =back
+ 
+ 
++=head1 SECURITY WARNING
++
++L<RPC::PlServer> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR
+ 
+     Copyright (c) 1997    Jochen Wiedmann
+-- 
+1.8.3.1
+
diff --git a/perl-DBI.spec b/perl-DBI.spec
index 4e87dcf..a009e9a 100644
--- a/perl-DBI.spec
+++ b/perl-DBI.spec
@@ -8,12 +8,14 @@
 
 Name:           perl-DBI
 Version:        1.630
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A database access API for perl
 Group:          Development/Libraries
 License:        GPL+ or Artistic
 URL:            http://dbi.perl.org/
 Source0:        http://www.cpan.org/authors/id/T/TI/TIMB/DBI-%{version}.tar.gz
+# Add a security warning about use of RPC::PlClient, bug #1030578, CPAN RT#90475
+Patch0:         DBI-1.630-Security-notice-for-Proxy.patch
 BuildRequires:  perl
 BuildRequires:  perl(ExtUtils::MakeMaker)
 BuildRequires:  perl(File::Find)
@@ -95,6 +97,7 @@ database interface independent of the actual database being used.
 
 %prep
 %setup -q -n DBI-%{version} 
+%patch0 -p1
 iconv -f iso8859-1 -t utf-8 lib/DBD/Gofer.pm >lib/DBD/Gofer.pm.new &&
   mv lib/DBD/Gofer.pm{.new,}
 chmod 644 ex/*
@@ -138,6 +141,9 @@ make test
 %{_mandir}/man3/*.3*
 
 %changelog
+* Tue Nov 26 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 1.630-2
+- Add a security warning about use of RPC::PlClient (bug #1030578)
+
 * Tue Oct 29 2013 Jitka Plesnikova <jplesnik@xxxxxxxxxx> - 1.630-1
 - 1.630 bump
 
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel





[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux