OpenPKG
16/12/02, 18:45
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
__________________________________________________ ______________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2002.014 16-Dec-2002
__________________________________________________ ______________________
Package: perl
Vulnerability: unsafe Safe compartment
OpenPKG Specific: no
Dependent Packages: none
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG 1.0 <= perl-5.6.1-1.0.1 >= perl-5.6.1-1.0.2
OpenPKG 1.1 <= perl-5.6.1-1.1.0 >= perl-5.6.1-1.1.1
OpenPKG CURRENT <= perl-5.8.0-20021129 >= perl-5.8.0-20021216
Description:
Andreas Jurenda discovered [0] a security hole in Safe.pm for Perl
[1]. When a Safe compartment has already been used, there's no
guarantee that it's safe any longer, because there's a way for code
executed within the Safe compartment to alter its operation mask.
Programs that use a Safe compartment only once aren't affected by this
bug.
Check whether you are affected by running "<prefix>/bin/rpm -q perl".
If you have an affected version of the Perl package (see above),
please upgrade it according to the solution below.
Solution:
Update existing packages to newly patched versions of Perl. Select the
updated source RPM appropriate for your OpenPKG release [2][3][4], and
fetch it from the OpenPKG FTP service or a mirror location. Verify its
integrity [5], build a corresponding binary RPM from it and update your
OpenPKG installation by applying the binary RPM [6]. For the latest
OpenPKG 1.1 release, perform the following operations to permanently fix
the security problem (for other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.1/UPD
ftp> get perl-5.6.1-1.1.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig perl-5.6.1-1.1.1.src.rpm
$ <prefix>/bin/rpm --rebuild perl-5.6.1-1.1.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/perl-5.6.1-1.1.1.*.rpm
__________________________________________________ ______________________
References:
[0] http://bugs6.perl.org/rt2/Ticket/Display.html?user=guest&pass=guest&id=17744
[1] http://www.perl.com/
[2] ftp://ftp.openpkg.org/release/1.0/UPD/
[3] ftp://ftp.openpkg.org/release/1.1/UPD/
[4] ftp://ftp.openpkg.org/current/SRC/
[5] http://www.openpkg.org/security.html#signature
[6] http://www.openpkg.org/tutorial.html#regular-source
__________________________________________________ ______________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
__________________________________________________ ______________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>
iEYEARECAAYFAj3+AJgACgkQgHWT4GPEy58V+gCg7izWdygkK1 2AbXPpY2izzuWb
wA4AoMG3rg9EUfy1fkimlOl5zxoAsLho
=ZxAt
-----END PGP SIGNATURE-----
Hash: SHA1
__________________________________________________ ______________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2002.014 16-Dec-2002
__________________________________________________ ______________________
Package: perl
Vulnerability: unsafe Safe compartment
OpenPKG Specific: no
Dependent Packages: none
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG 1.0 <= perl-5.6.1-1.0.1 >= perl-5.6.1-1.0.2
OpenPKG 1.1 <= perl-5.6.1-1.1.0 >= perl-5.6.1-1.1.1
OpenPKG CURRENT <= perl-5.8.0-20021129 >= perl-5.8.0-20021216
Description:
Andreas Jurenda discovered [0] a security hole in Safe.pm for Perl
[1]. When a Safe compartment has already been used, there's no
guarantee that it's safe any longer, because there's a way for code
executed within the Safe compartment to alter its operation mask.
Programs that use a Safe compartment only once aren't affected by this
bug.
Check whether you are affected by running "<prefix>/bin/rpm -q perl".
If you have an affected version of the Perl package (see above),
please upgrade it according to the solution below.
Solution:
Update existing packages to newly patched versions of Perl. Select the
updated source RPM appropriate for your OpenPKG release [2][3][4], and
fetch it from the OpenPKG FTP service or a mirror location. Verify its
integrity [5], build a corresponding binary RPM from it and update your
OpenPKG installation by applying the binary RPM [6]. For the latest
OpenPKG 1.1 release, perform the following operations to permanently fix
the security problem (for other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.1/UPD
ftp> get perl-5.6.1-1.1.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig perl-5.6.1-1.1.1.src.rpm
$ <prefix>/bin/rpm --rebuild perl-5.6.1-1.1.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/perl-5.6.1-1.1.1.*.rpm
__________________________________________________ ______________________
References:
[0] http://bugs6.perl.org/rt2/Ticket/Display.html?user=guest&pass=guest&id=17744
[1] http://www.perl.com/
[2] ftp://ftp.openpkg.org/release/1.0/UPD/
[3] ftp://ftp.openpkg.org/release/1.1/UPD/
[4] ftp://ftp.openpkg.org/current/SRC/
[5] http://www.openpkg.org/security.html#signature
[6] http://www.openpkg.org/tutorial.html#regular-source
__________________________________________________ ______________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
__________________________________________________ ______________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>
iEYEARECAAYFAj3+AJgACgkQgHWT4GPEy58V+gCg7izWdygkK1 2AbXPpY2izzuWb
wA4AoMG3rg9EUfy1fkimlOl5zxoAsLho
=ZxAt
-----END PGP SIGNATURE-----