PlRPC is a Perl module that implements IDL-free RPCs. The cryptographic hook built into PlRPC is limited: there is no MAC, no reply protection, and there's just a symmetric group key shared by all users, which correponds to the weak crypto in PlRPC. There appears to be zero reply protection. Additionally, compression is enabled unconditionally, which can reveal message contents, especially in conjunction with chosen-ciphertext attacks. The patches that exist just document the issues and are not real fixes. References: http://seclists.org/oss-sec/2014/q1/56 https://rt.cpan.org/Public/Bug/Display.html?id=90474 Commit/Patch: http://pkgs.fedoraproject.org/cgit/perl-PlRPC.git/commit/?id=b9497b8d780a54ff5be6661c5f24d70135e0bb79
Created perl-PlRPC tracking bugs for this issue: Affects: fedora-all [bug 1051110]
The actual proposed patch to upstream is here: * https://rt.cpan.org/Public/Ticket/Attachment/1289399/683202/0001-Security-notice-for-Proxy.patch As per http://seclists.org/oss-sec/2014/q1/62 MITRE has held off assigning any CVEs for this weak crypto issue.
(In reply to Vincent Danen from comment #2) > The actual proposed patch to upstream is here: > > * > https://rt.cpan.org/Public/Ticket/Attachment/1289399/683202/0001-Security- > notice-for-Proxy.patch > No. This is wrong patch which should belong to different perl package. Current latter one is the <https://rt.cpan.org/Public/Bug/Display.html?id=90474> is correct one and it'd already applied in perl-PlRPC-0.2020-16.fc21. I guess applying the patch from Fedora 21 to all Fedoras is sufficient.
Statement: The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.