Hi all, On Sun, Apr 06, 2014 at 11:12:17AM +0200, Moritz Mühlenhoff wrote: > On Sat, Mar 29, 2014 at 09:07:11AM +1100, Aníbal Monsalve Salazar wrote: > > On Fri, 2014-03-28 16:22:14 +0100, Moritz Muehlenhoff wrote: > > > On Thu, Jan 09, 2014 at 09:01:53PM +0100, Florian Weimer wrote: > > >> Package: libplrpc-perl > > >> Severity: grave > > >> Version: 0.2020-2 > > >> Tags: security upstream > > >> > > >> The PlRPC module uses Storable in an unsafe way, leading to a remote > > >> code execution vulnerability (in both the client and the server). > > >> > > >> Upstream bug report: > > >> > > >> https://rt.cpan.org/Public/Bug/Display.html?id=90474 > > >> > > >> A fix (which is not yet available) requires a protocol change. I > > >> think we should remove the package from the distribution instead. > > > > > > Anibal, what's the status? Do you agree with the removal? > > > > Yes, I agree. I was waiting to get it fixed upstream. > > Please file a removal bug against ftp.debian.org.
FTR, libdbi-perl which had a Suggests to libplrpc-perl now dropped that Suggests and added the patch tfor documenting the security problems: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libdbi-perl.git;a=commitdiff;h=001c753d2b739fa2a67ec4f15ad4e7f8ca91c3c1 http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libdbi-perl.git;a=commitdiff;h=2cd27ab51973e2fd11723a89079f3e3102e69032 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
