Flaw reported in DBI::ProxyServer - is it something we knew about?

Flaw reported in DBI::ProxyServer - is it something we knew about?

am 02.03.2006 19:14:16 von jonathan.leffler

------=_Part_7373_10760407.1141323256948
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

----- Message from Marc Deslauriers on Wed,
01 Mar 2006 20:22:16 -0500 -----
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] [FLSA-2006:178989] Updated perl-DBI package
fixes security issue
------------------------------------------------------------ ---------
Fedora Legacy Update Advisory

Synopsis: Updated perl-DBI package fixes security issue
Advisory ID: FLSA:178989
Issue date: 2006-03-01
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-0077
------------------------------------------------------------ ---------


------------------------------------------------------------ ---------
1. Topic:

An updated perl-DBI package that fixes a temporary file flaw in
DBI::ProxyServer is now available.

DBI is a database access Application Programming Interface (API) for
the Perl programming language.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

The Debian Security Audit Project discovered that the DBI library
creates a temporary PID file in an insecure manner. A local user could
overwrite or create files as a different user who happens to run an
application which uses DBI::ProxyServer. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-0077 to
this issue.

Users should update to this erratum package which disables the temporary
PID file unless configured.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, [...]

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D17898 9

[...]

--
Jonathan Leffler #include
Guardian of DBD::Informix - v2005.02 - http://dbi.perl.org
"I don't suffer from insanity - I enjoy every minute of it."

------=_Part_7373_10760407.1141323256948--

Re: Flaw reported in DBI::ProxyServer - is it something we knew about?

am 02.03.2006 23:44:11 von Tim.Bunce

Isn't that the same as this?:

Changes in DBI 1.47 (svn rev 854), 2nd February 2005

Fixed DBI::ProxyServer to not create pid files by default.
References: Ubuntu Security Notice USN-70-1, CAN-2005-0077
Thanks to Javier Fernández-Sanguino Peña from the
Debian Security Audit Project, and Jonathan Leffler.

Tim.


On Thu, Mar 02, 2006 at 10:14:16AM -0800, Jonathan Leffler wrote:
> ----- Message from Marc Deslauriers on Wed,
> 01 Mar 2006 20:22:16 -0500 -----
> To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> Subject: [Full-disclosure] [FLSA-2006:178989] Updated perl-DBI package
> fixes security issue
> ------------------------------------------------------------ ---------
> Fedora Legacy Update Advisory
>
> Synopsis: Updated perl-DBI package fixes security issue
> Advisory ID: FLSA:178989
> Issue date: 2006-03-01
> Product: Red Hat Linux, Fedora Core
> Keywords: Bugfix
> CVE Names: CVE-2005-0077
> ------------------------------------------------------------ ---------
>
>
> ------------------------------------------------------------ ---------
> 1. Topic:
>
> An updated perl-DBI package that fixes a temporary file flaw in
> DBI::ProxyServer is now available.
>
> DBI is a database access Application Programming Interface (API) for
> the Perl programming language.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 7.3 - i386
> Red Hat Linux 9 - i386
> Fedora Core 1 - i386
> Fedora Core 2 - i386
>
> 3. Problem description:
>
> The Debian Security Audit Project discovered that the DBI library
> creates a temporary PID file in an insecure manner. A local user could
> overwrite or create files as a different user who happens to run an
> application which uses DBI::ProxyServer. The Common Vulnerabilities and
> Exposures project (cve.mitre.org) has assigned the name CVE-2005-0077 to
> this issue.
>
> Users should update to this erratum package which disables the temporary
> PID file unless configured.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To update all RPMs for your particular architecture, [...]
>
> 5. Bug IDs fixed:
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178989
>
> [...]
>
> --
> Jonathan Leffler #include
> Guardian of DBD::Informix - v2005.02 - http://dbi.perl.org
> "I don't suffer from insanity - I enjoy every minute of it."

Re: Flaw reported in DBI::ProxyServer - is it something we knew about?

am 03.03.2006 05:38:08 von jonathan.leffler

------=_Part_6644_29966372.1141360688679
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On 3/2/06, Tim Bunce wrote:
>
> Isn't that the same as this?:
>
> Changes in DBI 1.47 (svn rev 854), 2nd February 2005
>
> Fixed DBI::ProxyServer to not create pid files by default.
> References: Ubuntu Security Notice USN-70-1, CAN-2005-0077
> Thanks to Javier Fern=E1ndez-Sanguino Pe=F1a from the
> Debian Security Audit Project, and Jonathan Leffler.



Yes - it just seems to have taken a while to get (re?)fixed in this
particular version of Linux (Fedora Legacy).

On Thu, Mar 02, 2006 at 10:14:16AM -0800, Jonathan Leffler wrote:
> > ----- Message from Marc Deslauriers on
> Wed,
> > 01 Mar 2006 20:22:16 -0500 -----
> > To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Subject: [Full-disclosure] [FLSA-2006:178989] Updated perl-DBI
> package
> > fixes security issue
> > ------------------------------------------------------------ ---------
> > Fedora Legacy Update Advisory
> >
> > Synopsis: Updated perl-DBI package fixes security issue
> > Advisory ID: FLSA:178989
> > Issue date: 2006-03-01
> > Product: Red Hat Linux, Fedora Core
> > Keywords: Bugfix
> > CVE Names: CVE-2005-0077
> > ------------------------------------------------------------ ---------
> >
> >
> > ------------------------------------------------------------ ---------
> > 1. Topic:
> >
> > An updated perl-DBI package that fixes a temporary file flaw in
> > DBI::ProxyServer is now available.
> >
> > DBI is a database access Application Programming Interface (API) for
> > the Perl programming language.
> >
> > 2. Relevant releases/architectures:
> >
> > Red Hat Linux 7.3 - i386
> > Red Hat Linux 9 - i386
> > Fedora Core 1 - i386
> > Fedora Core 2 - i386
> >
> > 3. Problem description:
> >
> > The Debian Security Audit Project discovered that the DBI library
> > creates a temporary PID file in an insecure manner. A local user could
> > overwrite or create files as a different user who happens to run an
> > application which uses DBI::ProxyServer. The Common Vulnerabilities and
> > Exposures project (cve.mitre.org) has assigned the name CVE-2005-0077 t=
o
> > this issue.
> >
> > Users should update to this erratum package which disables the temporar=
y
> > PID file unless configured.
> >
> > 4. Solution:
> >
> > Before applying this update, make sure all previously released errata
> > relevant to your system have been applied.
> >
> > To update all RPMs for your particular architecture, [...]
> >
> > 5. Bug IDs fixed:
> >
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D17898 9
> >
> > [...]
>



--
Jonathan Leffler #include
Guardian of DBD::Informix - v2005.02 - http://dbi.perl.org
"I don't suffer from insanity - I enjoy every minute of it."

------=_Part_6644_29966372.1141360688679--