[Bug 1051108] CVE-2013-7284 perl-PlRPC: pre-auth remote code execution
bugzilla at redhat.com
bugzilla at redhat.com
Thu Jan 9 22:01:40 UTC 2014
https://bugzilla.redhat.com/show_bug.cgi?id=1051108
Vincent Danen <vdanen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|perl-PlRPC: pre-auth remote |CVE-2013-7284 perl-PlRPC:
|code execution |pre-auth remote code
| |execution
Alias| |CVE-2013-7284
--- Comment #2 from Vincent Danen <vdanen at redhat.com> ---
The actual proposed patch to upstream is here:
*
https://rt.cpan.org/Public/Ticket/Attachment/1293961/685696/0001-Security-notice-on-Storable-and-reply-attack.patch
Based on the discussion in bug #1030572, there is no real "fix" for this as it
seems that Storable deserialization is exposed prior to password-based
authentication (see how AcceptUser is called in the server code).
MITRE assigned CVE-2013-7284 to this issue.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=uXNOYdCEBk&a=cc_unsubscribe
More information about the perl-devel
mailing list