Bug#745427: libdbi-perl: Suggests libplrpc-perl which should be removed from the archive
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 21 19:06:42 UTC 2014
Hey Damyan,
On Mon, Apr 21, 2014 at 09:12:31PM +0300, Damyan Ivanov wrote:
> -=| Salvatore Bonaccorso, 21.04.2014 16:29:10 +0200 |=-
> > Source: libdbi-perl
> > Severity: important
> >
> > libplrpc-perl should be removed from the archive[1] as it uses
> > Storable in an unsafe way, leading to a remote code execution
> > vulnerability (in both the client and the server).[2,3].
> >
> > Petr from Red Hat also asked to add a security notice for the proxy
> > drivers[4], but this code is unmaintained in DBI[5].
> >
> > libdbi-perl is the only consumer of libplrpc-perl via Suggests, so I
> > propose to drop the Suggests and maybe add a NEWS.Debian mentioning
> > the removal. Do anybody have otherwise another better aproach?
>
> I have the following changes locally, will push to alioth shortly:
>
> * Remove libplrpc-perl from Suggests:
> * warn users of DBI::Proxy about its unsafe usage of Storable
>
> The first change closes this bug, and the second applies the
> documentation patch adding warnings about using the Proxy module.
>
> I am not sure if a NEWS.Debian is needed. The removal of libplrpc-perl
> should be visible enough, no?
Yes indeed, you are right: should be enough.
Salvatore
More information about the pkg-perl-maintainers
mailing list