TLDR: If you're using the group assignment feature of Hypnotoad or the prefork daemon, you should upgrade to Mojolicious 5.53.
Yesterday we've been informed by Klaus Madsen of a security flaw in our use of POSIX::setgid(), which only changes the real group id and the effective group id, but does not make any changes to supplementary group ids. So if you were starting Hypnotoad as root user, to be able to bind to a privileged port like 80, and then used the user/group assignment feature to drop privileges of spawned worker processes, those worker processes would retain all permissions from supplementary group ids of the root user. These permissions tend to be very broad on common operating systems. This flaw has been fixed in Mojolicious 5.53, which is already available on CPAN. https://github.com/kraih/mojo/commit/37cf15fb23139bc76731dc5b59de570a99981ec9 P.S.: If you're using 3rd party Perl web servers with a similar group assignment feature, we strongly recommend that you verify that they don't contain the same flaw. -- sebastian -- You received this message because you are subscribed to the Google Groups "Mojolicious" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/mojolicious. For more options, visit https://groups.google.com/d/optout.
