FEDORA-2018-59eb033684

security update in Fedora 27 for perl-Dancer2

Status: stable a year ago

Dancer2 0.206000 addresses several potential security issues.

There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE.

Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed and does not require re-parsing the request body.

Comments 15

This update has been submitted for testing by eseyman.

What are the CVE IDs for these security issues?

@eseyman I've had a look into all changes referenced in the versions v0.206000_02 and v0.206000, however I could not identify the potential RCE flaw. Could you be more specific about this? Also I do not understand the security concerns regarding the two pull requests you mentioned. Thank you for your effort!

This update has been pushed to testing.

Could you be more specific about this?

The information comes from the announcement on the dancer-users list.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for batched by eseyman.

This update has been submitted for stable by bodhi.

perl-Dancer2-0.206000-1.fc27 ejected from the push because u"Cannot find relevant tag for perl-Dancer2-0.206000-1.fc27. None of ['f27-updates', 'f27-updates-pending'] are in [u'f22-updates-testing', u'dist-6E-epel-testing', u'f21-updates-testing', u'f25-updates-testing', u'f24-updates-testing', u'epel7-testing', u'f27-modular-updates-testing', u'dist-5E-epel-testing', u'f23-updates-testing', u'f26-updates-testing', u'f28-updates-testing', u'f27-updates-testing', u'f28-modular-updates-testing']."

This update has been submitted for batched by eseyman.

This update has been submitted for stable by eseyman.

perl-Dancer2-0.206000-1.fc27 ejected from the push because u"Cannot find relevant tag for perl-Dancer2-0.206000-1.fc27. None of ['f27-updates', 'f27-updates-pending'] are in [u'f22-updates-testing', u'dist-6E-epel-testing', u'f21-updates-testing', u'f25-updates-testing', u'f24-updates-testing', u'epel7-testing', u'f27-modular-updates-testing', u'dist-5E-epel-testing', u'f23-updates-testing', u'f26-updates-testing', u'f28-updates-testing', u'f27-updates-testing', u'f28-modular-updates-testing']."

This update has been marked stable administratively. See https://pagure.io/fedora-infrastructure/issue/6925

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
medium
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted a year ago
in testing a year ago
in stable a year ago

Related Bugs 1

00 #1569981 perl-Dancer2-0.206000 is available

Automated Test Results