Bug#745427: libdbi-perl: Suggests libplrpc-perl which should be removed from the archive
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 21 14:29:10 UTC 2014
Source: libdbi-perl
Severity: important
Hi Debian Perl Group members :)
libplrpc-perl should be removed from the archive[1] as it uses
Storable in an unsafe way, leading to a remote code execution
vulnerability (in both the client and the server).[2,3].
Petr from Red Hat also asked to add a security notice for the proxy
drivers[4], but this code is unmaintained in DBI[5].
libdbi-perl is the only consumer of libplrpc-perl via Suggests, so I
propose to drop the Suggests and maybe add a NEWS.Debian mentioning
the removal. Do anybody have otherwise another better aproach?
[1] https://bugs.debian.org/734789
[2] https://rt.cpan.org/Public/Bug/Display.html?id=90474
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1030572
[4] https://rt.cpan.org/Public/Bug/Display.html?id=90475
[5] https://rt.cpan.org/Public/Bug/Display.html?id=61976#txn-840757
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list