Bug#745427: libdbi-perl: Suggests libplrpc-perl which should be removed from the archive
Damyan Ivanov
dmn at debian.org
Mon Apr 21 18:12:31 UTC 2014
-=| Salvatore Bonaccorso, 21.04.2014 16:29:10 +0200 |=-
> Source: libdbi-perl
> Severity: important
>
> libplrpc-perl should be removed from the archive[1] as it uses
> Storable in an unsafe way, leading to a remote code execution
> vulnerability (in both the client and the server).[2,3].
>
> Petr from Red Hat also asked to add a security notice for the proxy
> drivers[4], but this code is unmaintained in DBI[5].
>
> libdbi-perl is the only consumer of libplrpc-perl via Suggests, so I
> propose to drop the Suggests and maybe add a NEWS.Debian mentioning
> the removal. Do anybody have otherwise another better aproach?
I have the following changes locally, will push to alioth shortly:
* Remove libplrpc-perl from Suggests:
* warn users of DBI::Proxy about its unsafe usage of Storable
The first change closes this bug, and the second applies the
documentation patch adding warnings about using the Proxy module.
I am not sure if a NEWS.Debian is needed. The removal of libplrpc-perl
should be visible enough, no?
> [1] https://bugs.debian.org/734789
> [2] https://rt.cpan.org/Public/Bug/Display.html?id=90474
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1030572
> [4] https://rt.cpan.org/Public/Bug/Display.html?id=90475
> [5] https://rt.cpan.org/Public/Bug/Display.html?id=61976#txn-840757
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20140421/2535cc4d/attachment.sig>
More information about the pkg-perl-maintainers
mailing list