Subject: | security vulnerabilities discovered on AnyEvent modules |
Date: | Sat, 12 Oct 2019 05:46:56 +0000 |
To: | bug-AnyEvent [...] rt.cpan.org |
From: | "Jun Hua Bie" <biejunh [...] cn.ibm.com> |
Hello CPAN bug team,
We are using Strawberry Perl 5.30.0.1 and some Perl modules on our
application, according to company's security policy, we ran static code
scanning for these open source code, but some security vulnerabilities are
discovered during scanning.
Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32
CWE: 266
API: Missing Setuid
Caller:
src\perl32\site\lib\AnyEvent\Util.pm at line 725 call :close
($_)
src\perl32\site\lib\AnyEvent\Handle.pm at line 264 call write
(triggered when nothing was read I<OR> written)
src\perl32\site\lib\AnyEvent\Handle.pm at line 265 call read
(triggered when nothing was read)
src\perl32\site\lib\AnyEvent\Handle.pm at line 1980 call read (and
buffer)
src\perl32\site\lib\AnyEvent\Handle.pm at line 2083 call :read
($self->{tls})
src\perl32\site\lib\AnyEvent\Util.pm at line 450 call :close
($_)
src\perl32\site\lib\AnyEvent\Util.pm at line 459 call :close
($_)
src\perl64\site\lib\AnyEvent\Handle.pm at line 264 call write
(triggered when nothing was read I<OR> written)
src\perl64\site\lib\AnyEvent\Handle.pm at line 265 call read
(triggered when nothing was read)
src\perl64\site\lib\AnyEvent\Handle.pm at line 2070 call :write
($self->{tls}, $self->{_tls_wbuf})
src\perl64\site\lib\AnyEvent\Handle.pm at line 1980 call read (and
buffer)
src\perl64\site\lib\AnyEvent\Handle.pm at line 2083 call :read
($self->{tls})
src\perl64\site\lib\AnyEvent\Util.pm at line 450 call :close
($_)
src\perl64\site\lib\AnyEvent\Util.pm at line 459 call :close
($_)
src\perl64\site\lib\AnyEvent\Util.pm at line 725 call :close
($_)
src\perl32\site\lib\AnyEvent\Handle.pm at line 2070 call :write
($self->{tls}, $self->{_tls_wbuf})
For the details, please refer to following reporting:
Do you have any solution to fix these security issues ? It is very
urgent for us to fix these issues for our project, could you take it as
high priority ?
Thanks in advance !
Note: CPAN module AnyEvent-7.16 is used for our applications.
Best Regards,
Jun Hua Bie
Senior IT Specialist
Global Technical Service
IBM Service
Mobile: +86-138-2370-2390
mailto:biejunh@cn.ibm.com
Message body is not shown because sender requested not to inline it.