Versions before 1.14 are vulnerable to the following problem :
See perl bugs :
People using Archive-zip in amavisd-new, and some other
email filtering applications really need this update
Steps to Reproduce:
cp Archive-Zip-1.12.ebuild Archive-Zip-1.14.ebuild
ebuild Archive-Zip-1.14.ebuild digest
This looks to be a security bug. I'm re-assigning it to the security team for
perl team, pls bump the ebuild
Bumped, tested, marked for sparc and x86. PPC, can you check it, confirm it, and mark it?
darkspectre worked with me in irc and confirmed this for ppc. marking stable now - security folks, its all up to you for a glsa if you want it.
adjusting Severity, removing ppc since it's already stable on ppc
alpha and amd64, please test Archive-Zip-1.14 and mark it stable if possible
current KEYWORDS="x86 sparc ppc"
target KEYWORDS="x86 amd64 ppc sparc alpha"
Stable on alpha.
while we are waiting for the last arch to test/mark stable, pls vote on a GLSA
This allows to bypass antivirus security, so I would issue one (Low ?), yes.
Stable on amd64.
The FreeBSD folks have updated their port to 1.14
There is now an official Amavis Security Announcement :
We'll have a GLSA on that one.