On Tue, 27 Dec 2005, Michael Mansour wrote: > Hi, > > I'm trying to apply the latest contrib perl from: > > http://www.fedoralegacy.org/contrib/perl/ > > namely: > > perl-5.8.3-19.2.legacy.i386.rpm > perl-suidperl-5.8.3-19.2.legacy.i386.rpm > > but I get the following result: > > # rpm -Uvh perl-suidperl-5.8.3-19.2.legacy.i386.rpm > perl-5.8.3-19.2.legacy.i386.rpm > warning: perl-suidperl-5.8.3-19.2.legacy.i386.rpm: Header V3 DSA signature: > NOKEY, key ID 5740edab > error: Failed dependencies: > libdb-4.2.so is needed by perl-5.8.3-19.2.legacy.i386 > > Where can I get libdb-4.2.so from? > > When I check via yum whatprovides, I can find everything except 4.2. > > Thanks. > > Michael. What version of Linux are you using, Michael? The perl-5.8.3-19.2.legacy.i386.rpm series as posted to fedoralegacy.org/contrib is a pre-testing Legacy version of Perl compiled for use with Fedora Core 2. I was thinking you use Fedora Core 1. You may wish to check Bugzilla bug # 152845 at <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152845> to make sure you're downloading the binaries for the Distro you are running. Assuming binaries are available there. (If you're running FC1, I have binaries at home on my system I can upload there that match the FC1 sources, if you want to use them. I've only uploaded the FC1 sources (perl-5.8.3-17.3.legacy.src.rpm) there. But you may want to wait for the version of Perl for your OS Distro being built now that should be pushed to updates-testing in a day or two.) Remember, Michael. The binary (and source!) packages published at <http://fedoralegacy.org/contrib/> have not been through full QA. You use them AT YOUR OWN RISK! NEW PERL BUGZILLA TICKET NEEDED? --- ---- -------- ------ ------- I think we need to open a new Bug report for the more recent Perl vulnerability(ies), CVE-2005-3962, "Integer overflow in the format string functionality...." Either that, or we need to add the fixes for this CVE to the current Perl Bugzilla 152845 that we are working on (and get some participation in QA'ing it!!!). Would appreciate your (and everyone's!) opinion on this, Michael. Because of low interest (or low prioritization for doing QA work) by participants of the Fedora Legacy Project for Perl, the Perl bug # 152845 has been open for more than a year and gotten rather long in the tooth: However, it has over that year accumulated a lot of important Security fixes. Just not yet CVE-2005-3962 (which is rated moderate security impact by the Red Hat Security Response Team) ... I am in the process of building (for updates-testing) binary Perl packages that have passed our PUBLISH QA in that bug (for all Security issues we know of except for CVE-2005-3962) on Fedora Legacy's build server, and I hope we can have test packages pushed to updates-testing within a day or two. But we can stop this process and fold in updates for CVE-2005-3962 if it is felt that it is necessary to do so at this point. My fear is, if we *DO* stop the build process to fold in CVE-2005-3962 for the vulnerable distro's, it will be yet another year before we get the necessary QA for Perl's source rpms so we can build for updates-testing, let alone push to updates! Whatever we decide to do, your QA on upcoming binary packages will be most warmly accepted. :) Thanks. Warm regards, David Eisenstein -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list