February 2023 - perl-devel - Fedora Mailing-Lists

[Bug 2035341] New: CVE-2020-16154 perl-App-cpanminus: signature verification bypass

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2035341 Bug ID: 2035341 Summary: CVE-2020-16154 perl-App-cpanminus: signature verification bypass Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: mrehak(a)redhat.com CC: hhorak(a)redhat.com, jorton(a)redhat.com, jplesnik(a)redhat.com, mmaslano(a)redhat.com, mspacek(a)redhat.com, perl-devel(a)lists.fedoraproject.org, perl-maint-list(a)redhat.com Target Milestone: --- Classification: Other An attacker can prepend checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers. This makes the Module::Signature::_verify() checks in both cpan and cpanm pass. External Reference: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341

1 month, 1 week

1
13
0 / 0

[Bug 2037408] New: CVE-2020-16154 perl-App-cpanminus:1.7044/perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2037408 Bug ID: 2037408 Summary: CVE-2020-16154 perl-App-cpanminus:1.7044/perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files [fedora-all] Product: Fedora Version: 35 Status: NEW Component: perl-App-cpanminus Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: jplesnik(a)redhat.com Reporter: thoger(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: jplesnik(a)redhat.com, mmaslano(a)redhat.com, mspacek(a)redhat.com, perl-devel(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2037408

1 month, 1 week

1
6
0 / 0

[Bug 2035342] New: CVE-2020-16154 perl-App-cpanminus: signature verification bypass [fedora-all]

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2035342 Bug ID: 2035342 Summary: CVE-2020-16154 perl-App-cpanminus: signature verification bypass [fedora-all] Product: Fedora Version: 35 Status: NEW Component: perl-App-cpanminus Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: jplesnik(a)redhat.com Reporter: mrehak(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: jplesnik(a)redhat.com, mmaslano(a)redhat.com, mspacek(a)redhat.com, perl-devel(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035342

1 month, 1 week

1
7
0 / 0

[Bug 2053941] New: The Fedora BuildRequires is missing an the license files are listed as %doc

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2053941 Bug ID: 2053941 Summary: The Fedora BuildRequires is missing an the license files are listed as %doc Product: Fedora Version: 34 Status: NEW Component: cpanspec Assignee: psabata(a)redhat.com Reporter: bugzilla(a)terrortux.de QA Contact: extras-qa(a)fedoraproject.org CC: ktdreyer(a)ktdreyer.com, perl-devel(a)lists.fedoraproject.org, psabata(a)redhat.com, steve(a)silug.org, strobert(a)strobe.net Target Milestone: --- Classification: Fedora Description of problem: In the generated spec file, this line is missing: # needes by all perl packages BuildRequires: perl-generators perl-interpreter perl-devel perl And the license files of the generated spec file are marked as %doc instant of %license Version-Release number of selected component (if applicable): cpanspec-1.78-39.fc34.noarch How reproducible: Every time Steps to Reproduce: 1. Call cpanspec Sort::Versions for example Actual results: See above Expected results: Correct spec file Additional info: Also the old %setup macro is used. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2053941

1 month, 1 week

1
7
0 / 0

[Bug 1765510] New: Request to update perl-Protocol-WebSocket to 0.26 for EPEL 7

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1765510 Bug ID: 1765510 Summary: Request to update perl-Protocol-WebSocket to 0.26 for EPEL 7 Product: Fedora EPEL Version: epel7 Status: NEW Component: perl-Protocol-WebSocket Assignee: ddick(a)cpan.org Reporter: kretschmer.jens(a)siemens.com QA Contact: extras-qa(a)fedoraproject.org CC: ddick(a)cpan.org, perl-devel(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Please update perl-Protocol-WebSocket to the latest upstream version 0.26. The current version in EPEL 7 is 0.18 -- You are receiving this mail because: You are on the CC list for the bug.

1 month, 1 week

1
5
0 / 0

[Bug 1803973] New: CGI::Session is missing in epel8

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1803973 Bug ID: 1803973 Summary: CGI::Session is missing in epel8 Product: Fedora EPEL Version: epel8 Status: NEW Component: perl-CGI-Session Assignee: andreas(a)bawue.net Reporter: netwiz(a)crc.id.au QA Contact: extras-qa(a)fedoraproject.org CC: andreas(a)bawue.net, perl-devel(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora The perl-CGI-Session package is not available for EPEL8. Please import & build for EPEL8. -- You are receiving this mail because: You are on the CC list for the bug.

1 month, 1 week

1
1
0 / 0

[Bug 2170647] New: Please branch and build perl-Net-Telnet for EPEL 9

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2170647 Bug ID: 2170647 Summary: Please branch and build perl-Net-Telnet for EPEL 9 Product: Fedora EPEL Version: epel9 Status: NEW Component: perl-Net-Telnet Assignee: smooge(a)redhat.com Reporter: ganphx(a)yahoo.com QA Contact: extras-qa(a)fedoraproject.org CC: perl-devel(a)lists.fedoraproject.org, smooge(a)redhat.com Target Milestone: --- Classification: Fedora Description of problem: Please branch and build perl-Net-Telnet for EPEL 9 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Package required to build/install smokeping from EPEL 9. See https://bugzilla.redhat.com/show_bug.cgi?id=2123406 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2170647

1 month, 1 week

1
6
0 / 0

[Bug 1716324] New: perl-Text-Xslate-3.5.6-5.fc30 is not linked to libperl.so

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=1716324 Bug ID: 1716324 Summary: perl-Text-Xslate-3.5.6-5.fc30 is not linked to libperl.so Product: Fedora Version: 30 Status: NEW Component: perl-Text-Xslate Assignee: jplesnik(a)redhat.com Reporter: ppisar(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: i(a)cicku.me, jplesnik(a)redhat.com, perl-devel(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora perl-Text-Xslate-3.5.6-5.fc30 lost a dependency on libperl.so since -Wl,--as-needed was added to distribution-wide linker flags: $ scanelf -n blib/arch/auto/Text/Xslate/Xslate.so TYPE NEEDED FILE ET_DYN libc.so.6 blib/arch/auto/Text/Xslate/Xslate.so $ ldd -r blib/arch/auto/Text/Xslate/Xslate.so linux-vdso.so.1 (0x00007fff0d5cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f948b9a1000) /lib64/ld-linux-x86-64.so.2 (0x00007f948bb8f000) undefined symbol: Perl_sv_cmp (blib/arch/auto/Text/Xslate/Xslate.so) undefined symbol: PL_ppaddr (blib/arch/auto/Text/Xslate/Xslate.so) [...] Xslate.so is built like this: gcc -lpthread -shared -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/usr/local/lib -fstack-protector-strong -lperl -o blib/arch/auto/Text/Xslate/Xslate.so lib/Text/Xslate.o src/xslate_methods.o The cause is that -Wl,--as-needed takes effect when library is supplied and considering only preceding object files and ignoring and following object files. A correct linker command must list all object files before -l flags. Like this: gcc lib/Text/Xslate.o src/xslate_methods.o -lpthread -shared -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/usr/local/lib -fstack-protector-strong -lperl -o blib/arch/auto/Text/Xslate/Xslate.so Either there is bug in perl-Text-Xslate build script or in Module::Build::XSUtil that it uses. -- You are receiving this mail because: You are on the CC list for the bug.

1 month, 4 weeks

1
13
0 / 0

[Bug 2165567] New: Upgrade perl-Sub-Exporter-Lexical to 0.100000

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2165567 Bug ID: 2165567 Summary: Upgrade perl-Sub-Exporter-Lexical to 0.100000 Product: Fedora Version: rawhide URL: https://metacpan.org/release/Sub-Exporter-Lexical Status: NEW Component: perl-Sub-Exporter-Lexical Assignee: rc040203(a)freenet.de Reporter: jplesnik(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: paul(a)city-fan.org, perl-devel(a)lists.fedoraproject.org, rc040203(a)freenet.de Target Milestone: --- Classification: Fedora Latest Fedora delivers 0.092292 version. Upstream released 0.100000. When you have free time, please upgrade it. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2165567

2 months

1
6
0 / 0

[Bug 2171353] New: /usr/lib/rpm/perl.req create bogus requirements on usage function of dpkg-source.pl

by bugzilla＠redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2171353 Bug ID: 2171353 Summary: /usr/lib/rpm/perl.req create bogus requirements on usage function of dpkg-source.pl Product: Fedora Version: 37 Status: NEW Component: perl-generators Assignee: jplesnik(a)redhat.com Reporter: sergio(a)serjux.com QA Contact: extras-qa(a)fedoraproject.org CC: jplesnik(a)redhat.com, mspacek(a)redhat.com, perl-devel(a)lists.fedoraproject.org, ppisar(a)redhat.com Target Milestone: --- Classification: Fedora Hi, As we see in https://bugzilla.redhat.com/show_bug.cgi?id=58537 and https://bugzilla.redhat.com/show_bug.cgi?id=1547805 https://bugzilla.redhat.com/show_bug.cgi?id=1539344 again in dpkg-source.pl of package dpkg (bug #1539344), the text [1] on "sub usage" generate a bad requirement, this time the requirement is perl(at) [2] [1] g_( 'General options: --threads-max=<threads> use at most <threads> with compressor. -q quiet mode. [2] /usr/lib/rpm/perl.req dpkg-1.21.20/scripts/dpkg-source.pl perl(Cwd) perl(Dpkg) perl(Dpkg::Arch) perl(Dpkg::Changelog::Parse) perl(Dpkg::Compression) perl(Dpkg::Conf) perl(Dpkg::Control::Fields) perl(Dpkg::Control::Info) perl(Dpkg::Control::Tests) perl(Dpkg::Deps) perl(Dpkg::ErrorHandling) perl(Dpkg::Gettext) perl(Dpkg::Source::Format) perl(Dpkg::Source::Package) perl(Dpkg::Substvars) perl(Dpkg::Vars) perl(Dpkg::Vendor) perl(Dpkg::Version) perl(File::Basename) perl(File::Spec) perl(List::Util) perl(at) perl(strict) perl(warnings) -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2171353

2 months

1
8
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

perl-devel February 2023