On 3/2/06, Tim Bunce <[EMAIL PROTECTED]> wrote: > > Isn't that the same as this?: > > Changes in DBI 1.47 (svn rev 854), 2nd February 2005 > > Fixed DBI::ProxyServer to not create pid files by default. > References: Ubuntu Security Notice USN-70-1, CAN-2005-0077 > Thanks to Javier Fernández-Sanguino Peña from the > Debian Security Audit Project, and Jonathan Leffler.
Yes - it just seems to have taken a while to get (re?)fixed in this particular version of Linux (Fedora Legacy). On Thu, Mar 02, 2006 at 10:14:16AM -0800, Jonathan Leffler wrote: > > ----- Message from Marc Deslauriers <[EMAIL PROTECTED]> on > Wed, > > 01 Mar 2006 20:22:16 -0500 ----- > > To: [email protected], [email protected] > > Subject: [Full-disclosure] [FLSA-2006:178989] Updated perl-DBI > package > > fixes security issue > > --------------------------------------------------------------------- > > Fedora Legacy Update Advisory > > > > Synopsis: Updated perl-DBI package fixes security issue > > Advisory ID: FLSA:178989 > > Issue date: 2006-03-01 > > Product: Red Hat Linux, Fedora Core > > Keywords: Bugfix > > CVE Names: CVE-2005-0077 > > --------------------------------------------------------------------- > > > > > > --------------------------------------------------------------------- > > 1. Topic: > > > > An updated perl-DBI package that fixes a temporary file flaw in > > DBI::ProxyServer is now available. > > > > DBI is a database access Application Programming Interface (API) for > > the Perl programming language. > > > > 2. Relevant releases/architectures: > > > > Red Hat Linux 7.3 - i386 > > Red Hat Linux 9 - i386 > > Fedora Core 1 - i386 > > Fedora Core 2 - i386 > > > > 3. Problem description: > > > > The Debian Security Audit Project discovered that the DBI library > > creates a temporary PID file in an insecure manner. A local user could > > overwrite or create files as a different user who happens to run an > > application which uses DBI::ProxyServer. The Common Vulnerabilities and > > Exposures project (cve.mitre.org) has assigned the name CVE-2005-0077 to > > this issue. > > > > Users should update to this erratum package which disables the temporary > > PID file unless configured. > > > > 4. Solution: > > > > Before applying this update, make sure all previously released errata > > relevant to your system have been applied. > > > > To update all RPMs for your particular architecture, [...] > > > > 5. Bug IDs fixed: > > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178989 > > > > [...] > -- Jonathan Leffler <[EMAIL PROTECTED]> #include <disclaimer.h> Guardian of DBD::Informix - v2005.02 - http://dbi.perl.org "I don't suffer from insanity - I enjoy every minute of it."
