Versions before 1.14 are vulnerable to the following problem : http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=false See perl bugs : http://rt.cpan.org/NoAuth/Bug.html?id=8076 http://rt.cpan.org/NoAuth/Bug.html?id=8077 People using Archive-zip in amavisd-new, and some other email filtering applications really need this update Reproducible: Always Steps to Reproduce: 1. 2. 3. Solution : cp Archive-Zip-1.12.ebuild Archive-Zip-1.14.ebuild ebuild Archive-Zip-1.14.ebuild digest
This looks to be a security bug. I'm re-assigning it to the security team for overview.
perl team, pls bump the ebuild
Bumped, tested, marked for sparc and x86. PPC, can you check it, confirm it, and mark it?
darkspectre worked with me in irc and confirmed this for ppc. marking stable now - security folks, its all up to you for a glsa if you want it.
adjusting Severity, removing ppc since it's already stable on ppc __ alpha and amd64, please test Archive-Zip-1.14 and mark it stable if possible current KEYWORDS="x86 sparc ppc" target KEYWORDS="x86 amd64 ppc sparc alpha"
Stable on alpha.
security, while we are waiting for the last arch to test/mark stable, pls vote on a GLSA
This allows to bypass antivirus security, so I would issue one (Low ?), yes.
Stable on amd64.
The FreeBSD folks have updated their port to 1.14 There is now an official Amavis Security Announcement : http://marc.theaimsgroup.com/?l=amavis-user&m=109882288027259&w=2 http://marc.theaimsgroup.com/?l=amavis-user&m=109882351729093&w=2
We'll have a GLSA on that one.
GLSA 200410-31
