This is an automated email from the git hooks/post-receive script.

dmn pushed a commit to branch master
in repository libdbi-perl.

commit 2cd27ab51973e2fd11723a89079f3e3102e69032
Author: Damyan Ivanov <d...@debian.org>
Date:   Mon Apr 21 18:08:12 2014 +0000

    warn users of DBI::Proxy about its unsafe usage of Storable
    
    patch by Petr Písař from
    https://rt.cpan.org/Public/Bug/Display.html?id=90475
---
 debian/patches/Security-notice-for-Proxy.patch | 56 ++++++++++++++++++++++++++
 debian/patches/series                          |  1 +
 2 files changed, 57 insertions(+)

diff --git a/debian/patches/Security-notice-for-Proxy.patch 
b/debian/patches/Security-notice-for-Proxy.patch
new file mode 100644
index 0000000..53b0294
--- /dev/null
+++ b/debian/patches/Security-notice-for-Proxy.patch
@@ -0,0 +1,56 @@
+From cd8fcbbf402e1d70c9f325f8b0fcd99e02cf14be Mon Sep 17 00:00:00 2001
+From: Petr Písař <ppi...@redhat.com>
+Date: Mon, 18 Nov 2013 12:52:09 +0100
+Subject: [PATCH] Security notice for Proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=90475
+
+PlRPC is not secure due to Storable. Warn Proxy users about it.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ lib/DBD/Proxy.pm       | 7 +++++++
+ lib/DBI/ProxyServer.pm | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/lib/DBD/Proxy.pm b/lib/DBD/Proxy.pm
+index 287b2dc..5948255 100644
+--- a/lib/DBD/Proxy.pm
++++ b/lib/DBD/Proxy.pm
+@@ -974,6 +974,13 @@ The workaround is storing the modified local copy back to 
the server:
+   $dbh->{"csv_tables"} = $tables;
+ 
+ 
++=head1 SECURITY WARNING
++
++L<RPC::PlClient> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR AND COPYRIGHT
+ 
+ This module is Copyright (c) 1997, 1998
+diff --git a/lib/DBI/ProxyServer.pm b/lib/DBI/ProxyServer.pm
+index 68ad4af..78a0d78 100644
+--- a/lib/DBI/ProxyServer.pm
++++ b/lib/DBI/ProxyServer.pm
+@@ -867,6 +867,13 @@ Don't try to put parameters into the sql-query like this:
+ =back
+ 
+ 
++=head1 SECURITY WARNING
++
++L<RPC::PlServer> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR
+ 
+     Copyright (c) 1997    Jochen Wiedmann
+-- 
+1.8.3.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 1e834d7..43e9b43 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ t__06attrs.t__localefix.patch
 t__40profile.t__NTP.patch
 t__80proxy.t___syslogd.patch
 fix-spelling.patch
+Security-notice-for-Proxy.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-perl/packages/libdbi-perl.git

_______________________________________________
Pkg-perl-cvs-commits mailing list
Pkg-perl-cvs-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits

Reply via email to