[Bug 1094440] New: perl-libwww-perl: incorrect handling of SSL certificate verification
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1094440
Bug ID: 1094440
Summary: perl-libwww-perl: incorrect handling of SSL
certificate verification
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: vdanen(a)redhat.com
CC: jkurik(a)redhat.com, mmaslano(a)redhat.com,
perl-devel(a)lists.fedoraproject.org,
perl-maint-list(a)redhat.com, ppisar(a)redhat.com,
psabata(a)redhat.com
It was reported [1] that libwww-perl (LWP), when using IO::Socket::SSL (the
default) and when the HTTPS_CA_DIR or HTTPS_CA_FILE environment variables were
set, would disable server certificate verification. Judging by the commit [2],
the intention was to disable only hostname verification for compatibility with
Crypt::SSLeay, but the resultant effect is that SSL_verify_mode is set to 0.
This code was introduced in LWP::Protocol::https in version 6.04, so earlier
versions are not vulnerable.
Potential patches [3],[4] are being discussed upstream [5].
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
[2]
https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2ba...
[3]
https://github.com/noxxi/lwp-protocol-https/commit/1b924708663f457a4f7c25...
[4]
https://github.com/noxxi/lwp-protocol-https/commit/6b5c876de80451ee54de5d...
[5] https://github.com/libwww-perl/lwp-protocol-https/pull/14
Statement:
This issue did not affect the versions of perl-libwww-perl as shipped with Red
Hat Enterprise Linux 5 and 6.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6oOhABRd7w&a=cc_unsubscribe
8 years, 6 months
[Bug 430177] New: clamd.d/amavisd.conf configuration directives require boolean arguments
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=430177
Summary: clamd.d/amavisd.conf configuration directives require
boolean arguments
Product: Fedora EPEL
Version: el5
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: low
Component: amavisd-new
AssignedTo: steve(a)silug.org
ReportedBy: rayvd(a)bludgeon.org
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-perl-devel-list(a)redhat.com
After installing amavisd-new-2.4.5-1.el5 from epel-testing I get the following
when running service clamd.amavisd start:
# service clamd.amavisd start
Starting clamd.amavisd: ERROR: Parse error at line 2: Option LogSyslog requires
boolean argument.
ERROR: Can't open/parse the config file /etc/clamd.d/amavisd.conf
[FAILED]
Turns out FixStaleSocket also requires a boolean argument.
I appended a 'yes' to both of these configuration directives and everything is
working fine now.
This is in tandem with clamav-server-0.92-4.1.el5 from epel.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
8 years, 6 months
[Bug 1169369] New: CVE-2014-9130 libyaml: assert failure when processing wrapped strings
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1169369
Bug ID: 1169369
Summary: CVE-2014-9130 libyaml: assert failure when processing
wrapped strings
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abaron(a)redhat.com, aortega(a)redhat.com,
apatters(a)redhat.com, apevec(a)redhat.com,
ayoung(a)redhat.com, bhu(a)redhat.com,
bkearney(a)redhat.com, bleanhar(a)redhat.com,
cbillett(a)redhat.com, ccoleman(a)redhat.com,
chrisw(a)redhat.com, cpelland(a)redhat.com,
cperry(a)redhat.com, dajohnso(a)redhat.com,
dallan(a)redhat.com, dclarizi(a)redhat.com,
dmcphers(a)redhat.com, esammons(a)redhat.com,
gkotton(a)redhat.com, gmccullo(a)redhat.com,
iboverma(a)redhat.com, jdetiber(a)redhat.com,
jeckersb(a)redhat.com, jhardy(a)redhat.com,
jialiu(a)redhat.com, jkeck(a)redhat.com,
jmatthew(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, jorton(a)redhat.com,
jplesnik(a)redhat.com, jprause(a)redhat.com,
jrafanie(a)redhat.com, jross(a)redhat.com,
jvlcek(a)redhat.com, katello-bugs(a)redhat.com,
kseifried(a)redhat.com, lhh(a)redhat.com,
lmeyer(a)redhat.com, lpeer(a)redhat.com,
markmc(a)redhat.com, matt(a)redhat.com, mburns(a)redhat.com,
mcressma(a)redhat.com, mmaslano(a)redhat.com,
mmccomas(a)redhat.com, mmccune(a)redhat.com,
mmcgrath(a)redhat.com, mmraka(a)redhat.com,
mrg-program-list(a)redhat.com, obarenbo(a)redhat.com,
paul(a)city-fan.org, perl-devel(a)lists.fedoraproject.org,
pmyers(a)redhat.com, rbryant(a)redhat.com,
rhos-maint(a)redhat.com, sclewis(a)redhat.com,
taw(a)redhat.com, tjay(a)redhat.com, tomckay(a)redhat.com,
tremble(a)tremble.org.uk, tsanders(a)redhat.com,
williams(a)redhat.com, xlecauch(a)redhat.com,
yeylon(a)redhat.com
An assertion failure was found in the way the libyaml library parsed wrapped
strings. An attacker able to load specially crafted YAML input into an
application using libyaml could cause the application to crash.
This issue was reported upstream at [1]; a patch that fixes this issue is
available at [2].
[1]
https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-fa...
[2]
https://github.com/yaml/libyaml/commit/e6aa721cc0e5a48f408c52355559fd3678...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=qABK91j78H&a=cc_unsubscribe
8 years, 6 months
[Bug 1225047] New: Upgrade perl-Curses
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1225047
Bug ID: 1225047
Summary: Upgrade perl-Curses
Product: Fedora
Version: rawhide
Component: perl-Curses
Keywords: FutureFeature
Assignee: steve.traylen(a)cern.ch
Reporter: ppisar(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: perl-devel(a)lists.fedoraproject.org,
steve.traylen(a)cern.ch
Latest Fedora delivers 1.28, while upstream released 1.32. Please upgrade the
pacakge.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 6 months
[Bug 1209939] New: stompclt-1.3 is available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1209939
Bug ID: 1209939
Summary: stompclt-1.3 is available
Product: Fedora
Version: rawhide
Component: stompclt
Keywords: FutureFeature, Triaged
Assignee: massimo.paladin(a)gmail.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: alexandre.beche(a)gmail.com, massimo.paladin(a)gmail.com,
perl-devel(a)lists.fedoraproject.org
Latest upstream release: 1.3
Current version/release in rawhide: 1.2-3.fc22
URL: http://cons.web.cern.ch/cons/perl/stompclt/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 7 months
[Bug 1230784] New: Upgrade perl-Pod-Plainer to 1.04
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1230784
Bug ID: 1230784
Summary: Upgrade perl-Pod-Plainer to 1.04
Product: Fedora
Version: rawhide
Component: perl-Pod-Plainer
Keywords: FutureFeature
Assignee: xning(a)redhat.com
Reporter: ppisar(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: perl-devel(a)lists.fedoraproject.org,
pnemade(a)redhat.com, psabata(a)redhat.com,
xning(a)redhat.com
Latest Fedora delivers perl-Pod-Plainer 1.03. Upstream released 1.04. Please
upgrade.
Also please enable monitoring service to receive reports about new releases.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 7 months
[Bug 1209551] New: Class-Field 0.23 is available
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1209551
Bug ID: 1209551
Summary: Class-Field 0.23 is available
Product: Fedora
Version: rawhide
Component: perl-Class-Field
Keywords: FutureFeature
Assignee: berrange(a)redhat.com
Reporter: ppisar(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: berrange(a)redhat.com,
perl-devel(a)lists.fedoraproject.org
Upstream released many new versions since last update in Fedora. Please
upgrade.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 7 months
[Bug 1239335] New: perl-version rebuild attempts to change files outside of build directory
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1239335
Bug ID: 1239335
Summary: perl-version rebuild attempts to change files outside
of build directory
Product: Fedora
Version: 21
Component: perl-version
Assignee: psabata(a)redhat.com
Reporter: joe(a)josephdwagner.info
QA Contact: extras-qa(a)fedoraproject.org
CC: perl-devel(a)lists.fedoraproject.org, psabata(a)redhat.com
Description of problem:
perl-version attempts to modify files outside of the build directory, resulting
in an access denied error when rebuild by an unprivileged user.
Version-Release number of selected component (if applicable):
perl-version-0.99.12-1.fc21.src.rpm
How reproducible: 100%
Steps to Reproduce:
# rpmbuild --rebuild --clean --target=i686 perl-version-0.99.12-1.fc21.src.rpm
Actual results:
Manifying blib/man3/version::Internals.3pm
Manifying blib/man3/version.3pm
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.URdhHG
+ umask 022
+ cd /home/joseph/rpmbuild/BUILD
+ cd version-0.9912
+ make pure_install
DESTDIR=/home/joseph/rpmbuild/BUILDROOT/perl-version-0.99.12-1.el6.i386
make[1]: Entering directory `/home/joseph/rpmbuild/BUILD/version-0.9912/vutil'
make[1]: Leaving directory `/home/joseph/rpmbuild/BUILD/version-0.9912/vutil'
Files found in blib/arch: installing files in blib/lib into architecture
dependent library tree
Installing
/home/joseph/rpmbuild/BUILDROOT/perl-version-0.99.12-1.el6.i386/usr/lib/perl5/vendor_perl/auto/version/vxs/vxs.so
Installing
/home/joseph/rpmbuild/BUILDROOT/perl-version-0.99.12-1.el6.i386/usr/lib/perl5/vendor_perl/auto/version/vxs/vxs.bs
Installing
/home/joseph/rpmbuild/BUILDROOT/perl-version-0.99.12-1.el6.i386/usr/lib/perl5/vendor_perl/version.pod
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: WARNING: Failed chmod(0666, /usr/share/perl5/version.pod): Operation
not permitted
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ERROR: Cannot unlink '/usr/share/perl5/version.pod': Permission denied
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
at -e line 1
make: *** [pure_vendor_install] Error 13
error: Bad exit status from /var/tmp/rpm-tmp.URdhHG (%install)
RPM build errors:
InstallSourcePackage at: psm.c:244: Header V3 RSA/SHA256 Signature, key ID
95a43f54: NOKEY
user mockbuild does not exist - using root
group mockbuild does not exist - using root
user mockbuild does not exist - using root
group mockbuild does not exist - using root
Bad exit status from /var/tmp/rpm-tmp.URdhHG (%install)
Expected results:
Successful build.
--
You are receiving this mail because:
You are on the CC list for the bug.
8 years, 7 months