Skip Menu |

This queue is for tickets about the Perl-Dist-Strawberry CPAN distribution.

Report information
The Basics
Id: 130689
Status: rejected
Priority: 0/
Queue: Perl-Dist-Strawberry
People
Owner: Nobody in particular
Requestors: biejunh [...] cn.ibm.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Oct 11 11:25:13 2019 biejunh [...] cn.ibm.com - Ticket created
Subject: security vulnerabilities discovered on Strawberry Perl 5.30.0.1 and some Perl modules
Date: Fri, 11 Oct 2019 14:43:11 +0000
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: "Jun Hua Bie" <biejunh [...] cn.ibm.com>
Hello Strawberry Perl bug team, We are using Strawberry Perl 5.30.0.1 and some CPAN modules on our application, according to company's security policy, we ran static code scanning for these open source code, but some security vulnerabilities are discovered during scanning. Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 Ungrouped File Open Mode Is User Modifiable (AccessControl.Bypass, CWE-288) 4 For the details, please refer to following reporting: Do you have any solution to fix these security issues ? It is very urgent for us to fix these issues for our project, could you take it as high priority ? Thanks in advance ! Best Regards, Jun Hua Bie Senior IT Specialist Global Technical Service IBM Service Mobile: +86-138-2370-2390 mailto:biejunh@cn.ibm.com

Message body is not shown because sender requested not to inline it.

  Fri Oct 11 14:48:58 2019 mcgrath.martin [...] gmail.com - Correspondence added
On Fri Oct 11 16:25:13 2019, biejunh@cn.ibm.com wrote: Show quoted text
> Hello Strawberry Perl bug team, > > We are using Strawberry Perl 5.30.0.1 and some CPAN modules on our > application, according to company's security policy, we ran static code > scanning for these open source code, but some security vulnerabilities are > discovered during scanning. > Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 > Ungrouped File Open Mode Is User Modifiable (AccessControl.Bypass, > CWE-288) 4 > > For the details, please refer to following reporting: > > > > Do you have any solution to fix these security issues ? It is very > urgent for us to fix these issues for our project, could you take it as > high priority ? > Thanks in advance ! > > Best Regards, > Jun Hua Bie > Senior IT Specialist > Global Technical Service > IBM Service > Mobile: +86-138-2370-2390 > mailto:biejunh@cn.ibm.com >
Related: https://rt.cpan.org/Ticket/Display.html?id=130688
  Fri Oct 11 14:48:59 2019 The RT System itself - Status changed from 'new' to 'open'
  Fri Oct 11 17:52:24 2019 ether [...] cpan.org - Correspondence added
None of these are core modules, so they are out of scope of the Strawberry perl port, or of perl core itself. They should be reported to the individual module authors. e.g. AnyEvent::Util -- report to the issue queue documented at https://metacpan.org/pod/AnyEvent::Util (left sidebar) other modules listed (several times each): Win32API::File Net::SSLeay::Handle AnyEvent::Handle
  Fri Oct 11 17:52:41 2019 ether [...] cpan.org - Status changed from 'open' to 'rejected'