Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 825551 Details for
Bug 1030572
perl-PlRPC: not secure across trust boundaries
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Proposed documentation fix
0001-Security-notice-on-Storable-and-reply-attack.patch (text/plain), 2.60 KB, created by
Petr Pisar
on 2013-11-18 11:33:34 UTC
(
hide
)
Description:
Proposed documentation fix
Filename:
MIME Type:
Creator:
Petr Pisar
Created:
2013-11-18 11:33:34 UTC
Size:
2.60 KB
patch
obsolete
>From 5176840a8e2ed8e92583cbb99ae590aff452bfaa Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> >Date: Mon, 18 Nov 2013 12:20:52 +0100 >Subject: [PATCH] Security notice on Storable and reply attack >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> >--- > README | 10 ++++++++++ > lib/RPC/PlServer.pm | 10 ++++++++++ > 2 files changed, 20 insertions(+) > >diff --git a/README b/README >index 8a68657..86054a7 100644 >--- a/README >+++ b/README >@@ -204,6 +204,7 @@ EXAMPLE > require RPC::PlServer; > require MD5; > >+ > package MD5_Server; # Clients need to request application > # "MD5_Server" > >@@ -263,6 +264,12 @@ SECURITY > Be restrictive > Think twice, before you give a client access to a method. > >+ Use of Storable >+ Storable module used for serialization and deserialization >+ underneath is inherently insecure. Deserialized data can contain >+ objects which lead to loading foreign modules and executing possible >+ attached destructors. Do not accept unauthorized connections. >+ > perlsec > And just in case I forgot it: Read the "perlsec" man page. :-) > >@@ -283,6 +290,9 @@ SECURITY > authorized, you should switch to a user based key. See the > DBI::ProxyServer for an example. > >+ Please note PlRPC encryption does not protect from reply attacks. >+ You should have implement it on the application or the cipher level. >+ > AUTHOR AND COPYRIGHT > The PlRPC-modules are > >diff --git a/lib/RPC/PlServer.pm b/lib/RPC/PlServer.pm >index 10b56c9..3afd93d 100644 >--- a/lib/RPC/PlServer.pm >+++ b/lib/RPC/PlServer.pm >@@ -637,6 +637,13 @@ object handle is valid before coercing a method on it. > > Think twice, before you give a client access to a method. > >+=item Use of Storable >+ >+L<Storable> module used for serialization and deserialization underneath is >+inherently insecure. Deserialized data can contain objects which lead to >+loading foreign modules and executing possible attached destructors. Do not >+accept unauthorized connections. >+ > =item perlsec > > And just in case I forgot it: Read the C<perlsec> man page. :-) >@@ -667,6 +674,9 @@ login phase, where to use a host based key. As soon as the user > has authorized, you should switch to a user based key. See the > DBI::ProxyServer for an example. > >+Please note PlRPC encryption does not protect from reply attacks. You should >+have implement it on the application or the cipher level. >+ > =back > > =head1 AUTHOR AND COPYRIGHT >-- >1.8.3.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=825551">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1030572
:
825551
|
825588
|
825589
|
829254