1051110 – perl-PlRPC: various flaws [fedora-all]

Bug 1051110 - perl-PlRPC: various flaws [fedora-all]

Summary: perl-PlRPC: various flaws [fedora-all]

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	perl-PlRPC
Sub Component:
Version:	20
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Petr Pisar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	fst_ping=1
Depends On:
Blocks:	1051106 CVE-2013-7284
TreeView+	depends on / blocked

Reported:	2014-01-09 17:31 UTC by Ratul Gupta
Modified:	2014-12-09 04:07 UTC (History)
CC List:	5 users (show)
Fixed In Version:	perl-DBI-1.631-3.fc21
Doc Type:	Release Note
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-12-09 04:07:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ratul Gupta 2014-01-09 17:31:48 UTC

This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.

For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s).  This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.

Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]

Comment 1 Ratul Gupta 2014-01-09 17:31:56 UTC

Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1051106,1051110

Comment 2 Ratul Gupta 2014-01-09 17:32:35 UTC

Adding parent bug 1051108.  Please use this new bodhi update url when correcting these flaws:

https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1051110,1051106,1051108

Comment 4 Petr Pisar 2014-06-02 11:37:21 UTC

Because there is no way how to fix this vulnerability, the modules requiring perl-PlRPC's modules will be removed from perl-DBI in rawhide and the perl-PlRPC package will be removed from the rawhide.

The code will be kept as is in already released Fedoras (Fedora 20 and older) to preserve compatibility.

Comment 5 Petr Pisar 2014-06-02 12:33:42 UTC

The dependency on perl-PlRPC has been removed in perl-DBI-1.631-3.fc21. The perl-PlRPC package has been retired and blocked in Fedora 21.

Comment 6 pjp 2014-12-03 18:25:36 UTC

Hello ppisar,

Could you please fix this soon?

Comment 7 Petr Pisar 2014-12-04 08:48:09 UTC

(In reply to pjp from comment #6)
> Hello ppisar,
> 
> Could you please fix this soon?

See comment #4.

Comment 8 pjp 2014-12-05 14:06:29 UTC

 Hello Petr,

Since the package has been retired from rawhide and the issue won't be fixed in earlier releases, it is good to close this bug as CLOSED WONTFIX with due comment about it.

Thank you.

Comment 9 Petr Pisar 2014-12-05 14:21:15 UTC

(In reply to pjp from comment #8)
> Since the package has been retired from rawhide and the issue won't be fixed
> in earlier releases, it is good to close this bug as CLOSED WONTFIX with due
> comment about it.

Which would be utterly wrong. Because it is fixed in Fedora ≥ 21. So WONTFIX does not apply here. Current state is more like NEXTRELEASE. which changes on the December 9th when CURRENTRELEASE would appropriate.

Also because this is a security bug, you cannot close it as WONTFIX. You have to keep it open until the latest supported Fedora release expires. This practise is also supported by the previous paragraph demonstrating the resolution is all but stable.

Comment 10 pjp 2014-12-05 15:40:18 UTC

   Hello Petr,

(In reply to Petr Pisar from comment #9)
> Which would be utterly wrong. Because it is fixed in Fedora ≥ 21.

  How is it fixed in >= F21?

  Comment #c5 above says 'perl-PlRPC' package has been retired from F21 onwards; And perl-DBI has been fixed to not depend on it. 

 -> http://pkgs.fedoraproject.org/cgit/perl-PlRPC.git/
 -> https://admin.fedoraproject.org/pkgdb/package/perl-PlRPC/

There are no >= F21 branches for perl-PlRPC.

> So WONTFIX does not apply here. Current state is more like NEXTRELEASE.
> which changes on the December 9th when CURRENTRELEASE would appropriate.

  There is no 'perl-PlRPC' package in NEXTRELEASE.
 
> Also because this is a security bug, you cannot close it as WONTFIX. You
> have to keep it open until the latest supported Fedora release expires.

  That makes no sense. IMO, keeping a bug open knowing that it is not going to be fixed at all is wrong. Comment #4 above says

  ... there is no way how to fix this vulnerability,

Comment 11 pjp 2014-12-05 15:44:31 UTC

Both its parent bugs too are closed as WONTFIX.

  -> https://bugzilla.redhat.com/show_bug.cgi?id=1051106#c5
  -> https://bugzilla.redhat.com/show_bug.cgi?id=1051108#c10

Note You need to log in before you can comment on or make changes to this bug.