Summary: | <dev-lang/perl-{5.24.3, 5.26.1}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | kentnl, nobrowser, perl |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=dev-lang/perl-5.24.3
=virtual/perl-Module-CoreList-5.201.709.220-r1
=virtual/perl-Time-HiRes-1.974.100-r1
|
Runtime testing required: | No |
Description
GLSAMaker/CVETool Bot
2017-09-10 18:54:20 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9ca302d548362993fd4b39b99f0d17827134c86 commit e9ca302d548362993fd4b39b99f0d17827134c86 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2017-09-23 03:23:47 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2017-09-23 12:44:08 +0000 dev-lang/perl: Bump to version 5.26.1 (pmasked) - Fixes for CVE-2017-12837, CVE-2017-12883 Bug: https://bugs.gentoo.org/630610 Package-Manager: Portage-2.3.8, Repoman-2.3.3 dev-lang/perl/Manifest | 1 + dev-lang/perl/perl-5.26.1.ebuild | 623 +++++++++++++++++++++++++++++++++++++++ profiles/package.mask | 1 + 3 files changed, 625 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71abf6a63e68f7d76756feafbdcc13767f90dcff commit 71abf6a63e68f7d76756feafbdcc13767f90dcff Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2017-09-23 02:48:41 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2017-09-23 12:44:07 +0000 dev-lang/perl: Bump to version 5.24.3 (pmasked) - Upstream Fixes for CVE-2017-12883, CVE-2017-12837 - Upgraded POSIX - Upgraded Time::HiRes - Fixes for Configure + -flto on GCC6 - Block -Duselongdouble and -Dusequadmath together Bug: https://bugs.gentoo.org/630610 Package-Manager: Portage-2.3.8, Repoman-2.3.3 dev-lang/perl/Manifest | 2 +- dev-lang/perl/{perl-5.24.3_rc1.ebuild => perl-5.24.3.ebuild} | 0 profiles/package.mask | 1 + 3 files changed, 2 insertions(+), 1 deletion(-)} Dropping package list for future stabilization after Oct 7 ToCC List: alpha amd64 arm hppa ia64 ppc ppc64 x86 Additional CC's as a politeness but won't be waited for: sparc arm64 Arches: Please stabilize as per the package list to your left. =dev-lang/perl-5.24.3 =virtual/perl-Module-CoreList-5.201.709.220-r1 =virtual/perl-Time-HiRes-1.974.100-r1 Thanks. sparc stable (thanks to Rolf Eike Beer) ppc64 stable ppc stable ia64 stable Stable on amd64 x86 stable hppa stable arm stable Stable on alpha. GLSA Vote: No @maintainers, please clean the vulnerable versions. @perl, Can <5.24.3 be cleaned? (In reply to Aaron Bauman from comment #14) > @perl, Can <5.24.3 be cleaned? and =5.26.0 please. I wasn't expecting arm64 to take this long, and even though I said initially we wouldn't wait for them, I have so far because of Perl's importance relative to @system and how it would completely break their depgraph/stabilization efforts. Last time I asked they were stuck needing a staging box sorted, or something like that. I'll keep pressing them, but may end up doing a purge before they're ready. ( Though I really don't see what benefit we give our users by purging old versions, given portage will coerce their upgrade (or not) regardless, but that's a separate discussion ) Hah. Looks like vapier stabilized arm64 and didn't update this ticket. Cleanup commencing. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bea32fa2444295a12f44c0e2e6bc3005b50a384 commit 2bea32fa2444295a12f44c0e2e6bc3005b50a384 Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2018-01-16 22:52:42 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2018-01-17 12:42:09 +0000 dev-lang/perl: Cleanup old re bug #630610 Removing old versions affected by CVE-2017-12837, CVE-2017-12883 Fallbacks to perl 5.24.1 and perl 5.24.2 removed for: virtual/perl-Archive-Tar virtual/perl-bignum virtual/perl-CPAN virtual/perl-Digest virtual/perl-Digest-SHA virtual/perl-Encode virtual/perl-ExtUtils-MakeMaker virtual/perl-File-Spec virtual/perl-HTTP-Tiny virtual/perl-IO-Compress virtual/perl-IO virtual/perl-IPC-Cmd virtual/perl-JSON-PP virtual/perl-libnet virtual/perl-Locale-Maketext virtual/perl-Locale-Maketext-Simple virtual/perl-Memoize virtual/perl-Net-Ping virtual/perl-Parse-CPAN-Meta virtual/perl-Storable virtual/perl-Sys-Syslog virtual/perl-Test-Harness virtual/perl-Test virtual/perl-XSLoader Virtuals that were only needed for Perl 5.24.1, 5.24.2, Perl 5.26.0 that had versions removed: virtual/perl-Module-CoreList perl-core entries that had versions removed due to becomming unreferenced by any virtual: perl-core/Module-CoreList Bug: https://bugs.gentoo.org/630610 Package-Manager: Portage-2.3.18, Repoman-2.3.6 dev-lang/perl/Manifest | 8 - dev-lang/perl/perl-5.24.1-r2.ebuild | 563 -------------------- dev-lang/perl/perl-5.24.2.ebuild | 564 -------------------- dev-lang/perl/perl-5.26.0.ebuild | 592 --------------------- perl-core/Module-CoreList/Manifest | 2 - .../Module-CoreList-5.201.705.300.ebuild | 14 - .../Module-CoreList-5.201.707.150.ebuild | 14 - ...uild => perl-Archive-Tar-2.40.100_rc-r5.ebuild} | 4 +- ...-r4.ebuild => perl-CPAN-2.110.100_rc-r5.ebuild} | 4 +- ...uild => perl-Digest-SHA-5.950.100_rc-r5.ebuild} | 4 +- .../perl-Digest/perl-Digest-1.170.100_rc-r4.ebuild | 15 - .../perl-Digest-1.170.100_rc-r5.ebuild} | 4 +- ...2.ebuild => perl-Encode-2.800.100_rc-r3.ebuild} | 4 +- ...perl-ExtUtils-MakeMaker-7.100.200_rc-r3.ebuild} | 4 +- ...build => perl-File-Spec-3.630.100_rc-r3.ebuild} | 4 +- ...2.ebuild => perl-HTTP-Tiny-0.56.1_rc-r3.ebuild} | 4 +- ...ebuild => perl-IO-Compress-2.69.1_rc-r3.ebuild} | 4 +- ...rc-r2.ebuild => perl-IO-1.360.100_rc-r3.ebuild} | 4 +- .../perl-IPC-Cmd-0.920.100_rc-r5.ebuild} | 4 +- .../perl-JSON-PP-2.273.0.100_rc-r5.ebuild} | 4 +- ...-Locale-Maketext-Simple-0.210.100_rc-r5.ebuild} | 4 +- ...=> perl-Locale-Maketext-1.260.100_rc-r5.ebuild} | 4 +- .../perl-Memoize-1.30.100_rc-r5.ebuild} | 4 +- .../perl-Module-CoreList-5.201.705.300.ebuild | 15 - .../perl-Module-CoreList-5.201.707.150.ebuild | 17 - ...ebuild => perl-Net-Ping-2.430.100_rc-r5.ebuild} | 4 +- ...perl-Parse-CPAN-Meta-1.441.700.100_rc-r2.ebuild | 15 - ...perl-Parse-CPAN-Meta-1.441.700.100_rc-r3.ebuild | 15 + .../perl-Storable-2.560.100_rc-r3.ebuild} | 4 +- ...uild => perl-Sys-Syslog-0.330.100_rc-r5.ebuild} | 4 +- .../perl-Test-Harness-3.360.100_rc-r2.ebuild | 15 - .../perl-Test-Harness-3.360.100_rc-r3.ebuild | 15 + .../perl-Test-1.280.100_rc-r3.ebuild} | 4 +- ...0-r2.ebuild => perl-XSLoader-0.220.0-r3.ebuild} | 4 +- ...2.ebuild => perl-bignum-0.420.100_rc-r3.ebuild} | 4 +- .../perl-libnet-3.80.100_rc-r3.ebuild} | 4 +- 36 files changed, 74 insertions(+), 1878 deletions(-)} Cleanup done. Over to you. (In reply to Kent Fredric (IRC: kent\n) from comment #19) > Cleanup done. Over to you. Thanks, Kent! @security: Please issue GLSA; any has not been issued yet! (In reply to Teika kazura from comment #21) > @security: Please issue GLSA; any has not been issued yet! This issue was not elegible for a GLSA, please refer to Gentoo Vulnerability Treatment Policy [1] for more detailed info. Fixed versions are already available. [1]:https://www.gentoo.org/support/security/vulnerability-treatment-policy.html |