FEDORA-2018-59eb033684 created by eseyman 2 years ago for Fedora 27
stable

Dancer2 0.206000 addresses several potential security issues.

There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE.

Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed and does not require re-parsing the request body.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-59eb033684

This update has been submitted for testing by eseyman.

2 years ago

What are the CVE IDs for these security issues?

@eseyman I've had a look into all changes referenced in the versions v0.206000_02 and v0.206000, however I could not identify the potential RCE flaw. Could you be more specific about this? Also I do not understand the security concerns regarding the two pull requests you mentioned. Thank you for your effort!

This update has been pushed to testing.

2 years ago

Could you be more specific about this?

The information comes from the announcement on the dancer-users list.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for batched by eseyman.

2 years ago

This update has been submitted for stable by bodhi.

2 years ago

perl-Dancer2-0.206000-1.fc27 ejected from the push because u"Cannot find relevant tag for perl-Dancer2-0.206000-1.fc27. None of ['f27-updates', 'f27-updates-pending'] are in [u'f22-updates-testing', u'dist-6E-epel-testing', u'f21-updates-testing', u'f25-updates-testing', u'f24-updates-testing', u'epel7-testing', u'f27-modular-updates-testing', u'dist-5E-epel-testing', u'f23-updates-testing', u'f26-updates-testing', u'f28-updates-testing', u'f27-updates-testing', u'f28-modular-updates-testing']."

2 years ago

This update has been submitted for batched by eseyman.

2 years ago

This update has been submitted for stable by eseyman.

2 years ago

perl-Dancer2-0.206000-1.fc27 ejected from the push because u"Cannot find relevant tag for perl-Dancer2-0.206000-1.fc27. None of ['f27-updates', 'f27-updates-pending'] are in [u'f22-updates-testing', u'dist-6E-epel-testing', u'f21-updates-testing', u'f25-updates-testing', u'f24-updates-testing', u'epel7-testing', u'f27-modular-updates-testing', u'dist-5E-epel-testing', u'f23-updates-testing', u'f26-updates-testing', u'f28-updates-testing', u'f27-updates-testing', u'f28-modular-updates-testing']."

2 years ago

This update has been marked stable administratively. See https://pagure.io/fedora-infrastructure/issue/6925

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
BZ#1569981 perl-Dancer2-0.206000 is available
0
0

Automated Test Results