-=| Salvatore Bonaccorso, 21.04.2014 16:29:10 +0200 |=- > Source: libdbi-perl > Severity: important > > libplrpc-perl should be removed from the archive[1] as it uses > Storable in an unsafe way, leading to a remote code execution > vulnerability (in both the client and the server).[2,3]. > > Petr from Red Hat also asked to add a security notice for the proxy > drivers[4], but this code is unmaintained in DBI[5]. > > libdbi-perl is the only consumer of libplrpc-perl via Suggests, so I > propose to drop the Suggests and maybe add a NEWS.Debian mentioning > the removal. Do anybody have otherwise another better aproach?
I have the following changes locally, will push to alioth shortly: * Remove libplrpc-perl from Suggests: * warn users of DBI::Proxy about its unsafe usage of Storable The first change closes this bug, and the second applies the documentation patch adding warnings about using the Proxy module. I am not sure if a NEWS.Debian is needed. The removal of libplrpc-perl should be visible enough, no? > [1] https://bugs.debian.org/734789 > [2] https://rt.cpan.org/Public/Bug/Display.html?id=90474 > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1030572 > [4] https://rt.cpan.org/Public/Bug/Display.html?id=90475 > [5] https://rt.cpan.org/Public/Bug/Display.html?id=61976#txn-840757
signature.asc
Description: Digital signature
