[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201403-08.xml - gentoo-commits

From:	"Mikle Kolyada (zlogene)" <zlogene@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201403-08.xml
Date:	Thu, 27 Mar 2014 10:27:09
Message-Id:	`20140327102701.16B8D2004F@flycatcher.gentoo.org`

1

zlogene     14/03/27 10:27:01

2

3

  Added:                glsa-201403-08.xml

4

  Log:

5

  GLSA 201403-08

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-201403-08.xml

9

10

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201403-08.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201403-08.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-201403-08.xml

14

===================================================================

15

<?xml version="1.0" encoding="UTF-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

<glsa id="201403-08">

20

  <title>PlRPC: Arbitrary code execution</title>

21

  <synopsis>PlRPC uses Storable which allows for code execution prior to

22

    Authentication

23

  </synopsis>

24

  <product type="ebuild">PlRPC</product>

25

  <announced>March 27, 2014</announced>

26

  <revised>March 27, 2014: 1</revised>

27

  <bug>497692</bug>

28

  <access>remote</access>

29

  <affected>

30

    <package name="dev-perl/PlRPC" auto="yes" arch="*">

31

      <unaffected range="ge">0.202.0-r2</unaffected>

32

      <vulnerable range="lt">0.202.0-r2</vulnerable>

33

    </package>

34

  </affected>

35

  <background>

36

    <p>The Perl RPC Module is a Perl module that implements IDL-free RPCs.</p>

37

  </background>

38

  <description>

39

    <p>PlRPC uses Storable module for serialization and deserialization of

40

      untrusted data. Deserialized data can contain objects which can lead to

41

      loading of foreign modules, and possible execution of arbitrary code.

42

    </p>

43

  </description>

44

  <impact type="normal">

45

    <p>A remote attacker could possibly execute

46

      arbitrary code with the privileges of the process, or cause a Denial of

47

      Service condition.

48

    </p>

49

  </impact>

50

  <workaround>

51

    <p>External authentication mechanism can be used with PlRPC such as TLS or

52

      IPSEC.

53

    </p>

54

  </workaround>

55

  <resolution>

56

    <p>All PlRPC users should upgrade to the latest version:</p>

57

58

    <code>

59

      # emerge --sync

60

      # emerge --ask --oneshot --verbose "&gt;=dev-perl/PlRPC-0.202.0-r2"

61

    </code>

62

63

  </resolution>

64

  <references>

65

    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7284">CVE-2013-7284</uri>

66

  </references>

67

  <metadata tag="requester" timestamp="Tue, 28 Jan 2014 06:14:53 +0000">

68

    BlueKnight

69

  </metadata>

70

  <metadata tag="submitter" timestamp="Thu, 27 Mar 2014 10:25:44 +0000">

71

    BlueKnight

72

  </metadata>

73

</glsa>

1	zlogene 14/03/27 10:27:01
2
3	Added: glsa-201403-08.xml
4	Log:
5	GLSA 201403-08
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-201403-08.xml
9
10	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201403-08.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201403-08.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-201403-08.xml
14	===================================================================
15	<?xml version="1.0" encoding="UTF-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19	<glsa id="201403-08">
20	<title>PlRPC: Arbitrary code execution</title>
21	<synopsis>PlRPC uses Storable which allows for code execution prior to
22	Authentication
23	</synopsis>
24	<product type="ebuild">PlRPC</product>
25	<announced>March 27, 2014</announced>
26	<revised>March 27, 2014: 1</revised>
27	<bug>497692</bug>
28	<access>remote</access>
29	<affected>
30	<package name="dev-perl/PlRPC" auto="yes" arch="*">
31	<unaffected range="ge">0.202.0-r2</unaffected>
32	<vulnerable range="lt">0.202.0-r2</vulnerable>
33	</package>
34	</affected>
35	<background>
36	<p>The Perl RPC Module is a Perl module that implements IDL-free RPCs.</p>
37	</background>
38	<description>
39	<p>PlRPC uses Storable module for serialization and deserialization of
40	untrusted data. Deserialized data can contain objects which can lead to
41	loading of foreign modules, and possible execution of arbitrary code.
42	</p>
43	</description>
44	<impact type="normal">
45	<p>A remote attacker could possibly execute
46	arbitrary code with the privileges of the process, or cause a Denial of
47	Service condition.
48	</p>
49	</impact>
50	<workaround>
51	<p>External authentication mechanism can be used with PlRPC such as TLS or
52	IPSEC.
53	</p>
54	</workaround>
55	<resolution>
56	<p>All PlRPC users should upgrade to the latest version:</p>
57
58	<code>
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=dev-perl/PlRPC-0.202.0-r2"
61	</code>
62
63	</resolution>
64	<references>
65	<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7284">CVE-2013-7284</uri>
66	</references>
67	<metadata tag="requester" timestamp="Tue, 28 Jan 2014 06:14:53 +0000">
68	BlueKnight
69	</metadata>
70	<metadata tag="submitter" timestamp="Thu, 27 Mar 2014 10:25:44 +0000">
71	BlueKnight
72	</metadata>
73	</glsa>

Gentoo Archives: gentoo-commits