[libdbi-perl] 02/04: warn users of DBI::Proxy about its unsafe usage of Storable
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 19 12:14:04 UTC 2014
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to annotated tag debian/1.622-1+deb7u1
in repository libdbi-perl.
commit e7ffab2ebc48d45703cb602bf83ceaa089076071
Author: Damyan Ivanov <dmn at debian.org>
Date: Mon Apr 21 18:08:12 2014 +0000
warn users of DBI::Proxy about its unsafe usage of Storable
patch by Petr Písař from
https://rt.cpan.org/Public/Bug/Display.html?id=90475
---
debian/patches/Security-notice-for-Proxy.patch | 56 ++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 57 insertions(+)
diff --git a/debian/patches/Security-notice-for-Proxy.patch b/debian/patches/Security-notice-for-Proxy.patch
new file mode 100644
index 0000000..53b0294
--- /dev/null
+++ b/debian/patches/Security-notice-for-Proxy.patch
@@ -0,0 +1,56 @@
+From cd8fcbbf402e1d70c9f325f8b0fcd99e02cf14be Mon Sep 17 00:00:00 2001
+From: Petr Písař <ppisar at redhat.com>
+Date: Mon, 18 Nov 2013 12:52:09 +0100
+Subject: [PATCH] Security notice for Proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=90475
+
+PlRPC is not secure due to Storable. Warn Proxy users about it.
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+---
+ lib/DBD/Proxy.pm | 7 +++++++
+ lib/DBI/ProxyServer.pm | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/lib/DBD/Proxy.pm b/lib/DBD/Proxy.pm
+index 287b2dc..5948255 100644
+--- a/lib/DBD/Proxy.pm
++++ b/lib/DBD/Proxy.pm
+@@ -974,6 +974,13 @@ The workaround is storing the modified local copy back to the server:
+ $dbh->{"csv_tables"} = $tables;
+
+
++=head1 SECURITY WARNING
++
++L<RPC::PlClient> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR AND COPYRIGHT
+
+ This module is Copyright (c) 1997, 1998
+diff --git a/lib/DBI/ProxyServer.pm b/lib/DBI/ProxyServer.pm
+index 68ad4af..78a0d78 100644
+--- a/lib/DBI/ProxyServer.pm
++++ b/lib/DBI/ProxyServer.pm
+@@ -867,6 +867,13 @@ Don't try to put parameters into the sql-query like this:
+ =back
+
+
++=head1 SECURITY WARNING
++
++L<RPC::PlServer> used underneath is not secure due to serializing and
++deserializing data with L<Storable> module. Use the proxy driver only in
++trusted environment.
++
++
+ =head1 AUTHOR
+
+ Copyright (c) 1997 Jochen Wiedmann
+--
+1.8.3.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 1e834d7..43e9b43 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ t__06attrs.t__localefix.patch
t__40profile.t__NTP.patch
t__80proxy.t___syslogd.patch
fix-spelling.patch
+Security-notice-for-Proxy.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libdbi-perl.git
More information about the Pkg-perl-cvs-commits
mailing list