https://bugzilla.redhat.com/show_bug.cgi?id=1128978
Bug ID: 1128978 Summary: perl-Plack: trailing slashes removed leading to source code disclosure Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mmcallis@redhat.com CC: jose.p.oliveira.oss@gmail.com, perl-devel@lists.fedoraproject.org, rc040203@freenet.de
Plack 1.0031 fixes the following security issue:
- Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a whitelist of generated files (avar) #446
Upstream fix:
https://github.com/avar/Plack/commit/bc1731dbb53850c380875ad683cd87c8ec99eee...
References:
https://github.com/plack/Plack/issues/405 http://seclists.org/oss-sec/2014/q3/345
https://bugzilla.redhat.com/show_bug.cgi?id=1128978
Murray McAllister mmcallis@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1128979 Depends On| |1128980
--- Comment #1 from Murray McAllister mmcallis@redhat.com ---
Created perl-Plack tracking bugs for this issue:
Affects: fedora-all [bug 1128979] Affects: epel-7 [bug 1128980]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1128979 [Bug 1128979] perl-Plack: trailing slashes removed leading to source code disclosure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1128980 [Bug 1128980] perl-Plack: trailing slashes removed leading to source code disclosure [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1128978
--- Comment #2 from Murray McAllister mmcallis@redhat.com --- MITRE assigned CVE-2014-5269 to this issue:
http://seclists.org/oss-sec/2014/q3/384
https://bugzilla.redhat.com/show_bug.cgi?id=1128978
Murray McAllister mmcallis@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2014-5269
https://bugzilla.redhat.com/show_bug.cgi?id=1128978
Murray McAllister mmcallis@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|perl-Plack: trailing |CVE-2014-5269 perl-Plack: |slashes removed leading to |trailing slashes removed |source code disclosure |leading to source code | |disclosure
https://bugzilla.redhat.com/show_bug.cgi?id=1128978 Bug 1128978 depends on bug 1128979, which changed state.
Bug 1128979 Summary: perl-Plack: trailing slashes removed leading to source code disclosure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1128979
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1128978
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- perl-Plack-1.0031-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1128978
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- perl-Plack-1.0031-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1128978
Ján Rusnačko jrusnack@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2013 |impact=moderate,public=2013 |0528,reported=20140811,sour |0528,reported=20140811,sour |ce=osssecurity,cvss2=5.0/AV |ce=oss-security,cvss2=5.0/A |:N/AC:L/Au:N/C:P/I:N/A:N,fe |V:N/AC:L/Au:N/C:P/I:N/A:N,f |dora-all/perl-Plack=affecte |edora-all/perl-Plack=affect |d,epel-7/perl-Plack=affecte |ed,epel-7/perl-Plack=affect |d |ed
perl-devel@lists.fedoraproject.org