Bug 1241818 - Please update to >= 1.64 to let bugzilla 5.0 run.
Summary: Please update to >= 1.64 to let bugzilla 5.0 run.
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: perl-DateTime-TimeZone
Version: 7.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Petr Pisar
QA Contact: Martin Kyral
Lenka Špačková
Depends On:
Blocks: 1465904 1466370 1473612
TreeView+ depends on / blocked
Reported: 2015-07-10 07:39 UTC by Frank Büttner
Modified: 2018-04-10 08:38 UTC (History)
4 users (show)

Fixed In Version: perl-DateTime-TimeZone-1.70-1.el7
Doc Type: Release Note
Doc Text:
_perl-DateTime-TimeZone_ rebased to version 1.70 The _perl-DateTime-TimeZone_ package has been upgraded to upstream version 1.70, which provides a number of bug fixes and enhancements over the previous version. Notably: * With this update, it is possible to install Bugzilla version 5, which requires a more recent version of _perl-DateTime-TimeZone_ than the system provided previously. * The Olson time zone database has been updated to version 2017b. Previously, applications written in the *Perl* language that use the *DateTime::TimeZone* module mishandled time zones that changed their specifications since version 2013h due to the outdated database. * Using a local time zone from a tainted time zone identifier has been fixed.
Clone Of:
Last Closed: 2018-04-10 08:38:24 UTC
Target Upstream Version:

Attachments (Terms of Use)
Source repository patch rebasing to 1.64 (2.44 KB, patch)
2017-07-11 09:05 UTC, Petr Pisar
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
CPAN 92631 0 None None None Never
Red Hat Bugzilla 1101251 0 unspecified CLOSED Upgrade perl-DateTime-TimeZone to deliver time zone updates 2023-01-03 14:08:46 UTC
Red Hat Product Errata RHBA-2018:0664 0 None None None 2018-04-10 08:38:51 UTC

Internal Links: 1101251

Description Frank Büttner 2015-07-10 07:39:04 UTC
Description of problem:
The new bugzilla generation 5 need version 1.64 of it, but only 1.63 is available.  

Version-Release number of selected component (if applicable):

See https://www.bugzilla.org/releases/5.0/release-notes.html#v50_feat for more.

Comment 1 Petr Pisar 2015-07-10 07:42:03 UTC
Please contact Red Hat support to properly evaluate your feature request.

Comment 3 Petr Pisar 2015-07-10 08:33:51 UTC
The 1.64 source archive was moved to Backpan <http://backpan.perl.org/authors/id/D/DR/DROLSKY/DateTime-TimeZone-1.64.tar.gz>.

Changes between 1.63 and 1.64:

* Version bump.

* lib/DateTime/TimeZone/Local/Unix.pm and lib/DateTime/TimeZone/OlsonDB.pm use more secure 3-argument open() instead of the 2-argument variant.

* Year updated in copyright declarations.

* lib/DateTime/TimeZone.pm checks class name which implements requested time zone more strictly and thus untains tainted time zone name properly. This is the only bug fix quoted in the changelog. It's one-line change.

* New build-time dependencies for running tests: Test::Fatal, Test::Requires, Test::Taint. If Test::Taint and Test::Fatal are optional.

* New t/22taint-mode.t test.

* Upstream changelog is:

+1.64    2014-02-07
+- Under taint mode, DateTime::TimeZone->new( name => 'local' ) could die
+  depending on the method used to find the local time zone name. The resulting
+  variable would often be tainted. We now untaint all names before attempting
+  to load them. Reported by Stevie-O. RT #92631.

The 1.64 can be built in RHEL-7.2. All tests pass.

Reproducer for the only significant change is:

$ perl -T -e 'use DateTime::TimeZone; DateTime::TimeZone->new(name => $ARGV[0])' 'America/Chicago'
Insecure dependency in eval while running with -T switch at /usr/share/perl5/vendor_perl/DateTime/TimeZone.pm line 79.

The significant change is:

--- DateTime-TimeZone-1.63/lib/DateTime/TimeZone.pm     2013-10-28 15:50:52.000000000 +0100
+++ DateTime-TimeZone-1.64/lib/DateTime/TimeZone.pm     2014-02-07 22:58:21.000000000 +0100
@@ -73,6 +67,8 @@
         unless $real_class =~ /^\w+(::\w+)*$/;
     unless ( $real_class->can('instance') ) {
+        ($real_class) = $real_class =~ m{\A([a-zA-Z0-9_]+(?:::[a-zA-Z0-9_]+)*)\z};
         my $e = do {
             local $@;
             local $SIG{__DIE__};
@@ -564,7 +560,7 @@

We can either rebase the package to 1.64 or back-port the fix. Back-porting of course does not change the version number from 1.63 to 1.64.

Comment 4 Frank Büttner 2016-02-13 16:54:50 UTC
The external bug is fixed.

Comment 5 Petr Pisar 2016-10-06 06:32:55 UTC
The rebase is safe.

Comment 6 Petr Pisar 2017-07-11 09:05:34 UTC
Created attachment 1296138 [details]
Source repository patch rebasing to 1.64

Comment 12 errata-xmlrpc 2018-04-10 08:38:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.