Hey Damyan, On Mon, Apr 21, 2014 at 09:12:31PM +0300, Damyan Ivanov wrote: > -=| Salvatore Bonaccorso, 21.04.2014 16:29:10 +0200 |=- > > Source: libdbi-perl > > Severity: important > > > > libplrpc-perl should be removed from the archive[1] as it uses > > Storable in an unsafe way, leading to a remote code execution > > vulnerability (in both the client and the server).[2,3]. > > > > Petr from Red Hat also asked to add a security notice for the proxy > > drivers[4], but this code is unmaintained in DBI[5]. > > > > libdbi-perl is the only consumer of libplrpc-perl via Suggests, so I > > propose to drop the Suggests and maybe add a NEWS.Debian mentioning > > the removal. Do anybody have otherwise another better aproach? > > I have the following changes locally, will push to alioth shortly: > > * Remove libplrpc-perl from Suggests: > * warn users of DBI::Proxy about its unsafe usage of Storable > > The first change closes this bug, and the second applies the > documentation patch adding warnings about using the Proxy module. > > I am not sure if a NEWS.Debian is needed. The removal of libplrpc-perl > should be visible enough, no?
Yes indeed, you are right: should be enough. Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
