|
Message-ID: <20130731055341.GA23826@elende> Date: Wed, 31 Jul 2013 07:53:41 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: CPAN perl module Data::UUID symlink attacks Hi Tim, On Tue, Jul 30, 2013 at 10:36:17PM +0100, Tim Retout wrote: > Hi all, > > The Perl module Data::UUID from CPAN is vulnerable to symlink attacks. > This is a widely used Perl module for generating UUIDs. > > Details are in the bug report on github: > https://github.com/rjbs/Data-UUID/issues/5 > > I believe all released versions are affected - I have confirmed the > issue against 1.219. > > Regarding affected distributions, note that Debian and Fedora do not > ship Data::UUID from CPAN - they use OSSP's uuid. However, at least > Arch and Gentoo seem to ship the CPAN version. Only a short comment on this: For Debian this will change as there is a Intent to Package bugreport pending and package in NEW queue waiting to be accepted into the archive. [1] http://bugs.debian.org/717315 [2] http://ftp-master.debian.org/new.html Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.