This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. [bug automatically created by: add-tracking-bugs]
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1128978,1128979 # Description of your update notes=Security fix for # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi update submission link instead: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1128978,1128979
Oh boy, yet more bureaucracy! Folks, Plack-1.0031 already is in f22 and rawhide, but I could not update f19 and f20 because perl-File-ShareDir-Install in f20 and f19 is too old (not worth mentioning epel7, which IMO is unmaintainable). So, instead of molesting maintainers with bureaucratic forms, better help out pushing these package builts, ASAP, such that perl-Plack-1.0031 can be submitted: https://admin.fedoraproject.org/updates/FEDORA-2014-9291/perl-File-ShareDir-Install-0.08-2.fc19 https://admin.fedoraproject.org/updates/FEDORA-2014-9317/perl-File-ShareDir-Install-0.08-2.fc20
Thanks for pointing out that problem. Eric, can your Fedora Security Team people look into the above problem?
(In reply to Ralf Corsepius from comment #2) > Oh boy, yet more bureaucracy! I'm not sure what bureacuracy you are speaking of as this has been standard procedure for years. > Folks, Plack-1.0031 already is in f22 and rawhide, but I could not update > f19 and f20 because perl-File-ShareDir-Install in f20 and f19 is too old > (not worth mentioning epel7, which IMO is unmaintainable). So you need the below mentioned updates for your Plack update? It looks like they were just recently pushed to testing to testing and adding karma will be the way to get them out the door sooner. > So, instead of molesting maintainers with bureaucratic forms, better help > out pushing these package builts, ASAP, such that perl-Plack-1.0031 can be > submitted: There is no molestation occurring here. If these packages are needed for your update then by all means test them against your package and provide karma. It's what we packagers do. > https://admin.fedoraproject.org/updates/FEDORA-2014-9291/perl-File-ShareDir- > Install-0.08-2.fc19 > > https://admin.fedoraproject.org/updates/FEDORA-2014-9317/perl-File-ShareDir- > Install-0.08-2.fc20
(In reply to Eric Christensen from comment #4) > (In reply to Ralf Corsepius from comment #2) > > Oh boy, yet more bureaucracy! > > I'm not sure what bureacuracy you are speaking of as this has been standard > procedure for years. Right - And I have been repeatedly complaining about this bureaucracy for years. Unfortunately nothing has improved. Openly said, I feel Fedora's bureaucracy is ballooning and has never been bigger. > > Folks, Plack-1.0031 already is in f22 and rawhide, but I could not update > > f19 and f20 because perl-File-ShareDir-Install in f20 and f19 is too old > > (not worth mentioning epel7, which IMO is unmaintainable). > > So you need the below mentioned updates for your Plack update? Exactly. Like many other perl modules, Plack has a long dependency chain, which needs to be kept quite close to "current", otherwise quick responses to bugs aren't possible. This time, perl-File-ShareDir in fc19 and fc20 weren't new enough. > It looks > like they were just recently pushed to testing to testing and adding karma > will be the way to get them out the door sooner. *I* submitted them a couple of days ago and they are in Fedora's (7 day) release _delay_ queue. [BTW: In recent times, the 7 days quite often prove to be 10-14 days. e.g. https://admin.fedoraproject.org/updates/FEDORA-2014-9066/perl-Mail-GnuPG-0.20-1.fc20] > > So, instead of molesting maintainers with bureaucratic forms, better help > > out pushing these package builts, ASAP, such that perl-Plack-1.0031 can be > > submitted: > > There is no molestation occurring here. C'mon, stop cheating. No-molestation would equal to no additional effort and to complete ignore you. Distribution-wise, would not change anything. Do you want me to do this or are you insisting on me reading your mails, closing the BZ and fill your the form? Do you notice something? No molestation is different. > If these packages are needed for > your update then by all means test them against your package and provide > karma. It's what we packagers do. Another self-cheat. Just have a look at how many updates I have pushed (I guess 1000s). Hardly any of them has received karma. This karma-stuff is non-functional non-sense.
(In reply to Ralf Corsepius from comment #5) > > Like many other perl modules, Plack has a long dependency chain, which needs > to be kept quite close to "current", otherwise quick responses to bugs > aren't possible. Given that the patch that fixes the security is a one-liner, I think this is a difficulty you're imposing on yourself more than it is a hard requirement.
(In reply to Emmanuel Seyman from comment #6) > (In reply to Ralf Corsepius from comment #5) > > > > Like many other perl modules, Plack has a long dependency chain, which needs > > to be kept quite close to "current", otherwise quick responses to bugs > > aren't possible. > > Given that the patch that fixes the security is a one-liner, I think this is > a difficulty you're imposing on yourself more than it is a hard requirement. No, it's an upstream requirement. Plack-1.0031 requires perl(File::ShareDir::Install) >= 0.06 This requirement is fullfilled on EPEL7, fc21 and f22, while the versions in fc19 and fc20 are *outdated*
(In reply to Ralf Corsepius from comment #7) > > No, it's an upstream requirement. Plack-1.0031 requires > perl(File::ShareDir::Install) >= 0.06 Fixing this bug does not require updating perl-Plack to 1.0031. You can stay on 1.0030 and apply the patch that fixes the vulnerability.
(In reply to Emmanuel Seyman from comment #8) > (In reply to Ralf Corsepius from comment #7) > > > > No, it's an upstream requirement. Plack-1.0031 requires > > perl(File::ShareDir::Install) >= 0.06 > > Fixing this bug does not require updating perl-Plack to 1.0031. You can stay > on 1.0030 and apply the patch that fixes the vulnerability. Why should I? Just to push an update, which would be obsoleted at the time it is released? Let's take this thread to an end. I'll further on disgard it and further CVEs.
(In reply to Ralf Corsepius from comment #9) > Let's take this thread to an end. I'll further on disgard it and further > CVEs. That's fine. Depending on the severity of the CVE your package may be patched for you or retired from the repositories.
(In reply to Eric Christensen from comment #10) > (In reply to Ralf Corsepius from comment #9) > > Let's take this thread to an end. I'll further on disgard it and further > > CVEs. > > That's fine. Depending on the severity of the CVE your package may be > patched for you or retired from the repositories. You still haven't got it: The update is on it's way. I am simply not playing it nice to your bureaucratic games, which is an utter waste of time.
(In reply to Ralf Corsepius from comment #11) > (In reply to Eric Christensen from comment #10) > > (In reply to Ralf Corsepius from comment #9) > > > Let's take this thread to an end. I'll further on disgard it and further > > > CVEs. > > > > That's fine. Depending on the severity of the CVE your package may be > > patched for you or retired from the repositories. > > You still haven't got it: The update is on it's way. I am simply not playing > it nice to your bureaucratic games, which is an utter waste of time. Okay, I'm not sure what you are calling "bureaucratic games". If it's just too difficult to add the bug numbers that are fixed in bodhi then... I guess I have no words for you to make you feel better about all this bureaucracy. The nerve of someone asking you to enter a couple of numbers into a form you already have to fill out is beyond me.
perl-Plack-1.0031-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/perl-Plack-1.0031-1.fc20
perl-Plack-1.0031-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/perl-Plack-1.0031-1.fc19
Package perl-Plack-1.0031-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing perl-Plack-1.0031-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9542/perl-Plack-1.0031-1.fc20 then log in and leave karma (feedback).
perl-Plack-1.0031-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
perl-Plack-1.0031-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.