https://bugzilla.redhat.com/show_bug.cgi?id=1051108 Vincent Danen <vdanen@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|perl-PlRPC: pre-auth remote |CVE-2013-7284 perl-PlRPC: |code execution |pre-auth remote code | |execution Alias| |CVE-2013-7284 --- Comment #2 from Vincent Danen <vdanen@xxxxxxxxxx> --- The actual proposed patch to upstream is here: * https://rt.cpan.org/Public/Ticket/Attachment/1293961/685696/0001-Security-notice-on-Storable-and-reply-attack.patch Based on the discussion in bug #1030572, there is no real "fix" for this as it seems that Storable deserialization is exposed prior to password-based authentication (see how AcceptUser is called in the server code). MITRE assigned CVE-2013-7284 to this issue. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=uXNOYdCEBk&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
