Bug 1051110

Summary: perl-PlRPC: various flaws [fedora-all]
Product: [Fedora] Fedora Reporter: Ratul Gupta <ratulg>
Component: perl-PlRPCAssignee: Petr Pisar <ppisar>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 20CC: mmaslano, perl-devel, pj.pandit, ppisar, psabata
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: fst_ping=1
Fixed In Version: perl-DBI-1.631-3.fc21 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-09 04:07:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1051106, 1051108    

Description Ratul Gupta 2014-01-09 17:31:48 UTC 
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s).  This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]
Comment 1 Ratul Gupta 2014-01-09 17:31:56 UTC 
Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1051106,1051110
Comment 2 Ratul Gupta 2014-01-09 17:32:35 UTC 
Adding parent bug 1051108.  Please use this new bodhi update url when correcting these flaws:

https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1051110,1051106,1051108
Comment 4 Petr Pisar 2014-06-02 11:37:21 UTC 
Because there is no way how to fix this vulnerability, the modules requiring perl-PlRPC's modules will be removed from perl-DBI in rawhide and the perl-PlRPC package will be removed from the rawhide.

The code will be kept as is in already released Fedoras (Fedora 20 and older) to preserve compatibility.
Comment 5 Petr Pisar 2014-06-02 12:33:42 UTC 
The dependency on perl-PlRPC has been removed in perl-DBI-1.631-3.fc21. The perl-PlRPC package has been retired and blocked in Fedora 21.
Comment 6 pjp 2014-12-03 18:25:36 UTC 
Hello ppisar,

Could you please fix this soon?
Comment 7 Petr Pisar 2014-12-04 08:48:09 UTC 
(In reply to pjp from comment #6)
> Hello ppisar,
> 
> Could you please fix this soon?

See comment #4.
Comment 8 pjp 2014-12-05 14:06:29 UTC 
 Hello Petr,

Since the package has been retired from rawhide and the issue won't be fixed in earlier releases, it is good to close this bug as CLOSED WONTFIX with due comment about it.

Thank you.
Comment 9 Petr Pisar 2014-12-05 14:21:15 UTC 
(In reply to pjp from comment #8)
> Since the package has been retired from rawhide and the issue won't be fixed
> in earlier releases, it is good to close this bug as CLOSED WONTFIX with due
> comment about it.

Which would be utterly wrong. Because it is fixed in Fedora ≥ 21. So WONTFIX does not apply here. Current state is more like NEXTRELEASE. which changes on the December 9th when CURRENTRELEASE would appropriate.

Also because this is a security bug, you cannot close it as WONTFIX. You have to keep it open until the latest supported Fedora release expires. This practise is also supported by the previous paragraph demonstrating the resolution is all but stable.
Comment 10 pjp 2014-12-05 15:40:18 UTC 
   Hello Petr,

(In reply to Petr Pisar from comment #9)
> Which would be utterly wrong. Because it is fixed in Fedora ≥ 21.

  How is it fixed in >= F21?

  Comment #c5 above says 'perl-PlRPC' package has been retired from F21 onwards; And perl-DBI has been fixed to not depend on it. 

 -> http://pkgs.fedoraproject.org/cgit/perl-PlRPC.git/
 -> https://admin.fedoraproject.org/pkgdb/package/perl-PlRPC/

There are no >= F21 branches for perl-PlRPC.

> So WONTFIX does not apply here. Current state is more like NEXTRELEASE.
> which changes on the December 9th when CURRENTRELEASE would appropriate.

  There is no 'perl-PlRPC' package in NEXTRELEASE.
 
> Also because this is a security bug, you cannot close it as WONTFIX. You
> have to keep it open until the latest supported Fedora release expires.

  That makes no sense. IMO, keeping a bug open knowing that it is not going to be fixed at all is wrong. Comment #4 above says

  ... there is no way how to fix this vulnerability,
Comment 11 pjp 2014-12-05 15:44:31 UTC 
Both its parent bugs too are closed as WONTFIX.

  -> https://bugzilla.redhat.com/show_bug.cgi?id=1051106#c5
  -> https://bugzilla.redhat.com/show_bug.cgi?id=1051108#c10