68616 2004-10-23 00:29 0000 dev-perl/Archive-Zip: zip security vulnerability 2004-10-29 06:12:32 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B4 [glsa] P2 minor --- 1 linux4ibook@free.fr security@gentoo.org perl@gentoo.org linux4ibook@free.fr 2004-10-23 00:29:50 0000 Versions before 1.14 are vulnerable to the following problem : http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=false See perl bugs : http://rt.cpan.org/NoAuth/Bug.html?id=8076 http://rt.cpan.org/NoAuth/Bug.html?id=8077 People using Archive-zip in amavisd-new, and some other email filtering applications really need this update Reproducible: Always Steps to Reproduce: 1. 2. 3. Solution : cp Archive-Zip-1.12.ebuild Archive-Zip-1.14.ebuild ebuild Archive-Zip-1.14.ebuild digest chriswhite@gentoo.org 2004-10-23 07:11:21 0000 This looks to be a security bug. I'm re-assigning it to the security team for overview. vorlon@gentoo.org 2004-10-23 07:52:26 0000 perl team, pls bump the ebuild mcummings@gentoo.org 2004-10-23 18:06:15 0000 Bumped, tested, marked for sparc and x86. PPC, can you check it, confirm it, and mark it? mcummings@gentoo.org 2004-10-23 18:45:36 0000 darkspectre worked with me in irc and confirmed this for ppc. marking stable now - security folks, its all up to you for a glsa if you want it. vorlon@gentoo.org 2004-10-24 03:03:30 0000 adjusting Severity, removing ppc since it's already stable on ppc __ alpha and amd64, please test Archive-Zip-1.14 and mark it stable if possible current KEYWORDS="x86 sparc ppc" target KEYWORDS="x86 amd64 ppc sparc alpha" kloeri@gentoo.org 2004-10-24 06:32:54 0000 Stable on alpha. vorlon@gentoo.org 2004-10-25 01:53:18 0000 security, while we are waiting for the last arch to test/mark stable, pls vote on a GLSA koon@gentoo.org 2004-10-25 02:27:23 0000 This allows to bypass antivirus security, so I would issue one (Low ?), yes. sekretarz@gentoo.org 2004-10-25 15:22:54 0000 Stable on amd64. linux4ibook@free.fr 2004-10-26 15:47:36 0000 The FreeBSD folks have updated their port to 1.14 There is now an official Amavis Security Announcement : http://marc.theaimsgroup.com/?l=amavis-user&m=109882288027259&w=2 http://marc.theaimsgroup.com/?l=amavis-user&m=109882351729093&w=2 koon@gentoo.org 2004-10-27 05:10:17 0000 We'll have a GLSA on that one. koon@gentoo.org 2004-10-29 06:12:32 0000 GLSA 200410-31