Bug#734789: [CVE-2013-7284] Remote pre-authentication code execution in PlRPC
On Sun, 2014-04-06 11:12:17 +0200, Moritz Mühlenhoff wrote: On Sat, Mar 29, 2014 at 09:07:11AM +1100, Aníbal Monsalve Salazar wrote: On Fri, 2014-03-28 16:22:14 +0100, Moritz Muehlenhoff wrote: On Thu, Jan 09, 2014 at 09:01:53PM +0100, Florian Weimer wrote: Package: libplrpc-perl Severity: grave Version: 0.2020-2 Tags: security upstream The PlRPC module uses Storable in an unsafe way, leading to a remote code execution vulnerability (in both the client and the server). Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=90474 A fix (which is not yet available) requires a protocol change. I think we should remove the package from the distribution instead. Anibal, what's the status? Do you agree with the removal? Yes, I agree. I was waiting to get it fixed upstream. Please file a removal bug against ftp.debian.org. Done! https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745477 Cheers! signature.asc Description: Digital signature
Bug#734789: [CVE-2013-7284] Remote pre-authentication code execution in PlRPC
Hi all, On Sun, Apr 06, 2014 at 11:12:17AM +0200, Moritz Mühlenhoff wrote: On Sat, Mar 29, 2014 at 09:07:11AM +1100, Aníbal Monsalve Salazar wrote: On Fri, 2014-03-28 16:22:14 +0100, Moritz Muehlenhoff wrote: On Thu, Jan 09, 2014 at 09:01:53PM +0100, Florian Weimer wrote: Package: libplrpc-perl Severity: grave Version: 0.2020-2 Tags: security upstream The PlRPC module uses Storable in an unsafe way, leading to a remote code execution vulnerability (in both the client and the server). Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=90474 A fix (which is not yet available) requires a protocol change. I think we should remove the package from the distribution instead. Anibal, what's the status? Do you agree with the removal? Yes, I agree. I was waiting to get it fixed upstream. Please file a removal bug against ftp.debian.org. FTR, libdbi-perl which had a Suggests to libplrpc-perl now dropped that Suggests and added the patch tfor documenting the security problems: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libdbi-perl.git;a=commitdiff;h=001c753d2b739fa2a67ec4f15ad4e7f8ca91c3c1 http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libdbi-perl.git;a=commitdiff;h=2cd27ab51973e2fd11723a89079f3e3102e69032 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#734789: [CVE-2013-7284] Remote pre-authentication code execution in PlRPC
On Sat, Mar 29, 2014 at 09:07:11AM +1100, Aníbal Monsalve Salazar wrote: On Fri, 2014-03-28 16:22:14 +0100, Moritz Muehlenhoff wrote: On Thu, Jan 09, 2014 at 09:01:53PM +0100, Florian Weimer wrote: Package: libplrpc-perl Severity: grave Version: 0.2020-2 Tags: security upstream The PlRPC module uses Storable in an unsafe way, leading to a remote code execution vulnerability (in both the client and the server). Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=90474 A fix (which is not yet available) requires a protocol change. I think we should remove the package from the distribution instead. Anibal, what's the status? Do you agree with the removal? Yes, I agree. I was waiting to get it fixed upstream. Please file a removal bug against ftp.debian.org. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#734789: [CVE-2013-7284] Remote pre-authentication code execution in PlRPC
On Thu, Jan 09, 2014 at 09:01:53PM +0100, Florian Weimer wrote: Package: libplrpc-perl Severity: grave Version: 0.2020-2 Tags: security upstream The PlRPC module uses Storable in an unsafe way, leading to a remote code execution vulnerability (in both the client and the server). Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=90474 A fix (which is not yet available) requires a protocol change. I think we should remove the package from the distribution instead. Anibal, what's the status? Do you agree with the removal? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#734789: [CVE-2013-7284] Remote pre-authentication code execution in PlRPC
On Fri, 2014-03-28 16:22:14 +0100, Moritz Muehlenhoff wrote: On Thu, Jan 09, 2014 at 09:01:53PM +0100, Florian Weimer wrote: Package: libplrpc-perl Severity: grave Version: 0.2020-2 Tags: security upstream The PlRPC module uses Storable in an unsafe way, leading to a remote code execution vulnerability (in both the client and the server). Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=90474 A fix (which is not yet available) requires a protocol change. I think we should remove the package from the distribution instead. Anibal, what's the status? Do you agree with the removal? Yes, I agree. I was waiting to get it fixed upstream. Cheers, Moritz signature.asc Description: Digital signature
Bug#734789: [CVE-2013-7284] Remote pre-authentication code execution in PlRPC
Package: libplrpc-perl Severity: grave Version: 0.2020-2 Tags: security upstream The PlRPC module uses Storable in an unsafe way, leading to a remote code execution vulnerability (in both the client and the server). Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=90474 A fix (which is not yet available) requires a protocol change. I think we should remove the package from the distribution instead. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org