172293 – dev-perl/Apache-DBI 1.06 version bump - security fix for broken $DEBUG

Bug 172293 - dev-perl/Apache-DBI 1.06 version bump - security fix for broken $DEBUG

Summary: dev-perl/Apache-DBI 1.06 version bump - security fix for broken $DEBUG

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2007-03-26 12:20 UTC by Sergiy Borodych
Modified:	2007-04-23 15:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sergiy Borodych 2007-03-26 12:20:35 UTC

1.06 03/23/2007
  - MP2/AuthDBI: Fixed Apache::AuthDBI::debug() to 
    actually work.
    Submitted by: [Kevin Appel <kappel@tgic.com>]

  - Bump minium required perl version to 5.6.1 to match DBI
    (Changes in DBI 1.49 (svn rev 2287),   29th November 2005)
    Philip M. Gollucci <pgollucci@p6m7g8.com>


Quote from
http://www.freebsd.org/cgi/query-pr.cgi?pr=110789

Previously $Apache::AuthDBI::DEBUG = 0 was broken so that
logging was effectively ALWAYS on in function debug().
This will also log passwords with no way to turn this off.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-26 19:24:17 UTC

perl please advise and bump as necessary.

Comment 2 Michael Cummings (RETIRED) gentoo-dev

2007-03-30 22:37:18 UTC

bumped. not sure on severity (wouldn't say its high, personally - yes, its bad to reveal passwords under any circumstance, but only under debug in this case)

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-31 06:18:11 UTC

Thx Michael for the info.

Arches please test and mark stable. Target keywords are:

Apache-DBI-1.06.ebuild:KEYWORDS="alpha amd64 ia64 ppc sparc x86"

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-04 06:46:05 UTC

Now actually calling arches.

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2007-04-04 10:07:27 UTC

ia64 stable

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2007-04-04 13:39:54 UTC

x86 stable

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev

2007-04-04 14:04:22 UTC

sparc stable.

Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev

2007-04-04 18:00:19 UTC

ppc stable

Comment 9 Fernando J. Pereda (RETIRED) gentoo-dev

2007-04-04 19:06:07 UTC

Alpha done.

- ferdy

Comment 10 Peter Weller (RETIRED) gentoo-dev

2007-04-06 19:40:08 UTC

amd64 stable

Comment 11 Michael Cummings (RETIRED) gentoo-dev

2007-04-09 16:23:18 UTC

gsla time? (just checking in since last arch reported in a few days ago). Thanks :)

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-11 10:42:56 UTC

This one is ready for GLSA decision. I tend to vote NO.

Comment 13 Vic Fryzel (shellsage) (RETIRED) gentoo-dev

2007-04-11 17:05:46 UTC

I vote no;  you would hopefully only ever have DEBUG on in a development or staging environment, where there wouldn't be a critical information loss.

Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev

2007-04-23 15:39:57 UTC

tend to vote no

that makes 2 full votes against a GLSA -> closing