https://bugzilla.redhat.com/show_bug.cgi?id=1051108 --- Comment #5 from Tomas Hoger <thoger@xxxxxxxxxx> --- Here is Storable documentation that describes security risks of deserializing untrusted inputs using Storable: http://search.cpan.org/~ams/Storable-2.45/Storable.pm#SECURITY_WARNING The only package shipped in Red Hat Software Collections 1 and Red Hat Enterprise Linux 7 Beta is perl-DBI with DBI::Proxy / DBI::ProxyServer modules. Those modules are not used by any other package shipped as part of those products. There is an upstream bug requesting addition of security warnings to DBI documentation: https://rt.cpan.org/Public/Bug/Display.html?id=90475 It does not seem there's a way to fix without introducing incompatible protocol change by using different way to serialize data for network transfer. Alternative may be to have Storable provide a safe mode to deserialize untrusted inputs. That seems to be on the Storable upstream TODO list, but not available in current version. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=UX4UmMnZTz&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
