This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please use the bodhi submission link noted in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the Bodhi notes field when available. Please note: this issue affects multiple supported versions of Fedora. Only one tracking bug has been filed; please ensure that it is only closed when all affected versions are fixed. [bug automatically created by: add-tracking-bugs]
Please use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. Please also ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1051106,1051110
Adding parent bug 1051108. Please use this new bodhi update url when correcting these flaws: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1051110,1051106,1051108
Because there is no way how to fix this vulnerability, the modules requiring perl-PlRPC's modules will be removed from perl-DBI in rawhide and the perl-PlRPC package will be removed from the rawhide. The code will be kept as is in already released Fedoras (Fedora 20 and older) to preserve compatibility.
The dependency on perl-PlRPC has been removed in perl-DBI-1.631-3.fc21. The perl-PlRPC package has been retired and blocked in Fedora 21.
Hello ppisar, Could you please fix this soon?
(In reply to pjp from comment #6) > Hello ppisar, > > Could you please fix this soon? See comment #4.
Hello Petr, Since the package has been retired from rawhide and the issue won't be fixed in earlier releases, it is good to close this bug as CLOSED WONTFIX with due comment about it. Thank you.
(In reply to pjp from comment #8) > Since the package has been retired from rawhide and the issue won't be fixed > in earlier releases, it is good to close this bug as CLOSED WONTFIX with due > comment about it. Which would be utterly wrong. Because it is fixed in Fedora ≥ 21. So WONTFIX does not apply here. Current state is more like NEXTRELEASE. which changes on the December 9th when CURRENTRELEASE would appropriate. Also because this is a security bug, you cannot close it as WONTFIX. You have to keep it open until the latest supported Fedora release expires. This practise is also supported by the previous paragraph demonstrating the resolution is all but stable.
Hello Petr, (In reply to Petr Pisar from comment #9) > Which would be utterly wrong. Because it is fixed in Fedora ≥ 21. How is it fixed in >= F21? Comment #c5 above says 'perl-PlRPC' package has been retired from F21 onwards; And perl-DBI has been fixed to not depend on it. -> http://pkgs.fedoraproject.org/cgit/perl-PlRPC.git/ -> https://admin.fedoraproject.org/pkgdb/package/perl-PlRPC/ There are no >= F21 branches for perl-PlRPC. > So WONTFIX does not apply here. Current state is more like NEXTRELEASE. > which changes on the December 9th when CURRENTRELEASE would appropriate. There is no 'perl-PlRPC' package in NEXTRELEASE. > Also because this is a security bug, you cannot close it as WONTFIX. You > have to keep it open until the latest supported Fedora release expires. That makes no sense. IMO, keeping a bug open knowing that it is not going to be fixed at all is wrong. Comment #4 above says ... there is no way how to fix this vulnerability,
Both its parent bugs too are closed as WONTFIX. -> https://bugzilla.redhat.com/show_bug.cgi?id=1051106#c5 -> https://bugzilla.redhat.com/show_bug.cgi?id=1051108#c10