Re: Flaw reported in DBI::ProxyServer - is it something we knew about?

Thu, 02 Mar 2006 14:44:39 -0800 

Isn't that the same as this?:

Changes in DBI 1.47 (svn rev 854), 2nd February 2005

  Fixed DBI::ProxyServer to not create pid files by default.
    References: Ubuntu Security Notice USN-70-1, CAN-2005-0077
    Thanks to Javier Fernández-Sanguino Peña from the
    Debian Security Audit Project, and Jonathan Leffler.

Tim.


On Thu, Mar 02, 2006 at 10:14:16AM -0800, Jonathan Leffler wrote:
> ----- Message from Marc Deslauriers <[EMAIL PROTECTED]> on Wed,
> 01 Mar 2006 20:22:16 -0500 -----
> To:    [email protected], [email protected]
> Subject:    [Full-disclosure] [FLSA-2006:178989] Updated perl-DBI package
> fixes security issue
> ---------------------------------------------------------------------
>                Fedora Legacy Update Advisory
> 
> Synopsis:          Updated perl-DBI package fixes security issue
> Advisory ID:       FLSA:178989
> Issue date:        2006-03-01
> Product:           Red Hat Linux, Fedora Core
> Keywords:          Bugfix
> CVE Names:         CVE-2005-0077
> ---------------------------------------------------------------------
> 
> 
> ---------------------------------------------------------------------
> 1. Topic:
> 
> An updated perl-DBI package that fixes a temporary file flaw in
> DBI::ProxyServer is now available.
> 
> DBI is a database access Application Programming Interface (API) for
> the Perl programming language.
> 
> 2. Relevant releases/architectures:
> 
> Red Hat Linux 7.3 - i386
> Red Hat Linux 9 - i386
> Fedora Core 1 - i386
> Fedora Core 2 - i386
> 
> 3. Problem description:
> 
> The Debian Security Audit Project discovered that the DBI library
> creates a temporary PID file in an insecure manner. A local user could
> overwrite or create files as a different user who happens to run an
> application which uses DBI::ProxyServer. The Common Vulnerabilities and
> Exposures project (cve.mitre.org) has assigned the name CVE-2005-0077 to
> this issue.
> 
> Users should update to this erratum package which disables the temporary
> PID file unless configured.
> 
> 4. Solution:
> 
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
> 
> To update all RPMs for your particular architecture, [...]
> 
> 5. Bug IDs fixed:
> 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178989
> 
> [...]
> 
> --
> Jonathan Leffler <[EMAIL PROTECTED]>  #include <disclaimer.h>
> Guardian of DBD::Informix - v2005.02 - http://dbi.perl.org
> "I don't suffer from insanity - I enjoy every minute of it."

Reply via email to