[Bug 1051108] CVE-2013-7284 perl-PlRPC: pre-auth remote code execution

Fri May 30 10:55:18 UTC 2014

https://bugzilla.redhat.com/show_bug.cgi?id=1051108

Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|high                        |medium
         Whiteboard|impact=important,public=201 |impact=moderate,public=2013
                   |31114,reported=20140109,sou |1114,reported=20140109,sour
                   |rce=oss-sec,cvss2=6.8/AV:N/ |ce=redhat,cvss2=5.1/AV:N/AC
                   |AC:M/Au:N/C:P/I:P/A:P,rhel- |:H/Au:N/C:P/I:P/A:P,rhel-7/
                   |7/perl-PlRPC=affected,rhscl |perl-PlRPC=affected,rhscl-1
                   |-1/perl516-perl-PlRPC=affec |/perl516-perl-PlRPC=affecte
                   |ted,fedora-all/perl-PlRPC=a |d,fedora-all/perl-PlRPC=aff
                   |ffected                     |ected
              Flags|needinfo?(ratulg at redhat.com |
                   |)                           |
           Severity|high                        |medium

--- Comment #8 from Tomas Hoger <thoger at redhat.com> ---
(In reply to Tomas Hoger from comment #5)
> The only package shipped in Red Hat Software Collections 1 and Red Hat
> Enterprise Linux 7 Beta is perl-DBI with DBI::Proxy / DBI::ProxyServer
> modules.  Those modules are not used by any other package shipped as part of
> those products.

Search through Debian archive (using http://codesearch.debian.net/) also fails
to find any user of PlRPC or DBI::Proxy*.  Reducing impact rating based on the
fact that this module does not seem to be used by any real world application.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=AocoGyyrcQ&a=cc_unsubscribe