[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[DONE] wml://{security/2016/dsa-3628.wml}

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- --- english/security/2016/dsa-3628.wml	2016-07-25 20:16:12.000000000 +0500
+++ russian/security/2016/dsa-3628.wml	2016-07-25 22:24:23.514734160 +0500
@@ -1,60 +1,61 @@
- -<define-tag description>security update</define-tag>
+#use wml::debian::translation-check translation="1.2" maintainer="Lev Lamberov"
+<define-tag description>обновление безопаÑ?ноÑ?Ñ?и</define-tag>
 <define-tag moreinfo>
- -<p>Multiple vulnerabilities were discovered in the implementation of the
- -Perl programming language. The Common Vulnerabilities and Exposures
- -project identifies the following problems:</p>
+<p>Ð? Ñ?еализаÑ?ии Ñ?зÑ?ка пÑ?огÑ?аммиÑ?ованиÑ? Perl бÑ?ли обнаÑ?Ñ?женÑ?
+многоÑ?иÑ?леннÑ?е Ñ?Ñ?звимоÑ?Ñ?и. Ð?Ñ?оекÑ? Common Vulnerabilities and Exposures
+опÑ?еделÑ?еÑ? Ñ?ледÑ?Ñ?Ñ?ие пÑ?облемÑ?:</p>
 
 <ul>
 
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2016-1238";>CVE-2016-1238</a>
 
- -    <p>John Lightsey and Todd Rinaldo reported that the opportunistic
- -    loading of optional modules can make many programs unintentionally
- -    load code from the current working directory (which might be changed
- -    to another directory without the user realising) and potentially
- -    leading to privilege escalation, as demonstrated in Debian with
- -    certain combinations of installed packages.</p>
- -
- -    <p>The problem relates to Perl loading modules from the includes
- -    directory array ("@INC") in which the last element is the current
- -    directory ("."). That means that, when <q>perl</q> wants to load a module
- -    (during first compilation or during lazy loading of a module in run
- -    time), perl will look for the module in the current directory at the
- -    end, since '.' is the last include directory in its array of include
- -    directories to seek. The issue is with requiring libraries that are
- -    in "." but are not otherwise installed.</p>
- -
- -    <p>With this update several modules which are known to be vulnerable
- -    are updated to not load modules from current directory.</p>
- -
- -    <p>Additionally the update allows configurable removal of "." from @INC
- -    in /etc/perl/sitecustomize.pl for a transitional period. It is
- -    recommended to enable this setting if the possible breakage for a
- -    specific site has been evaluated. Problems in packages provided in
- -    Debian resulting from the switch to the removal of '.' from @INC
- -    should be reported to the Perl maintainers at
+    <p>Ð?жон Ð?айÑ?Ñ?и и Тодд Риналдо Ñ?ообÑ?или, Ñ?Ñ?о веÑ?оÑ?Ñ?ноÑ?Ñ?наÑ? загÑ?Ñ?зка
+    опÑ?ионалÑ?нÑ?Ñ? модÑ?лей можеÑ? пÑ?иводиÑ?Ñ? к Ñ?омÑ?, Ñ?Ñ?о многие пÑ?огÑ?аммÑ? ненамеÑ?ено
+    загÑ?Ñ?жаÑ?Ñ? код из Ñ?екÑ?Ñ?его Ñ?абоÑ?его каÑ?алога (коÑ?оÑ?Ñ?й можеÑ? бÑ?Ñ?Ñ? изменÑ?н
+    на дÑ?Ñ?гой каÑ?алог без ведома полÑ?зоваÑ?елÑ?), Ñ?Ñ?о поÑ?енÑ?иалÑ?но
+    пÑ?иводиÑ? к повÑ?Ñ?ениÑ? пÑ?ивилегий и Ñ?же бÑ?ло пÑ?одемонÑ?Ñ?Ñ?иÑ?овано в Debian
+    опÑ?еделÑ?нной комбинаÑ?ией Ñ?Ñ?Ñ?ановленнÑ?Ñ? пакеÑ?ов.</p>
+
+    <p>ЭÑ?а пÑ?облема Ñ?вÑ?зана Ñ? загÑ?Ñ?зкой Perl модÑ?лей из маÑ?Ñ?ива вклÑ?Ñ?Ñ?нного
+    каÑ?алога ("@INC"), в коÑ?оÑ?ом поÑ?ледним Ñ?леменÑ?ом Ñ?влÑ?еÑ?Ñ?Ñ? Ñ?екÑ?Ñ?ий
+    каÑ?алог ("."). ЭÑ?о ознаÑ?аеÑ?, Ñ?Ñ?о когда <q>perl</q> Ñ?обиÑ?аеÑ?Ñ?Ñ? загÑ?Ñ?зиÑ?Ñ? модÑ?лÑ?
+    (во вÑ?емÑ? пеÑ?вой компилÑ?Ñ?ии или во вÑ?емÑ? ленивой загÑ?Ñ?зки модÑ?лÑ? во вÑ?емÑ?
+    иÑ?полнениÑ?), perl иÑ?еÑ? Ñ?Ñ?оÑ? модÑ?лÑ? в Ñ?екÑ?Ñ?ем каÑ?алоге в
+    Ñ?амом конÑ?е, поÑ?колÑ?кÑ? '.' Ñ?влÑ?еÑ?Ñ?Ñ? поÑ?ледним вклÑ?Ñ?Ñ?ннÑ?м каÑ?алогом в маÑ?Ñ?иве вклÑ?Ñ?Ñ?ннÑ?Ñ?
+    каÑ?алогов, Ñ?Ñ?еди коÑ?оÑ?Ñ?Ñ? пÑ?оизводиÑ?Ñ?Ñ? поиÑ?к. Ð?Ñ?облема каÑ?аеÑ?Ñ?Ñ? Ñ?Ñ?ебÑ?емÑ?Ñ? библиоÑ?ек, коÑ?оÑ?Ñ?е
+    наÑ?одÑ?Ñ?Ñ?Ñ? в ".", но не Ñ?Ñ?Ñ?ановленÑ? каким-либо дÑ?Ñ?гим Ñ?поÑ?обом.</p>
+
+    <p>Ð? данном обновлении неÑ?колÑ?ко модÑ?лей, о коÑ?оÑ?Ñ?Ñ? извеÑ?Ñ?но, Ñ?Ñ?о они подвеÑ?женÑ?
+    данной Ñ?Ñ?звимоÑ?Ñ?и, измененÑ? Ñ?ак, Ñ?Ñ?обÑ? они не загÑ?Ñ?жали модÑ?ли из Ñ?екÑ?Ñ?его каÑ?алога.</p>
+
+    <p>Ð?Ñ?оме Ñ?ого, данное обновление позволÑ?еÑ? наÑ?Ñ?Ñ?аиваÑ?Ñ? Ñ?даление "." из @INC
+    в /etc/perl/sitecustomize.pl на пеÑ?иод пеÑ?еÑ?ода. РекомендÑ?еÑ?Ñ?Ñ?
+    вклÑ?Ñ?иÑ?Ñ? Ñ?Ñ?Ñ? наÑ?Ñ?Ñ?ойкÑ? в Ñ?ом Ñ?лÑ?Ñ?ае, еÑ?ли вÑ? оÑ?енили возможнÑ?Ñ?
+    поломкÑ? конкÑ?еÑ?ного Ñ?зла. Ð? пÑ?облемаÑ? в пакеÑ?аÑ?, пÑ?едоÑ?Ñ?авлÑ?емÑ?Ñ? в
+    Debian, коÑ?оÑ?Ñ?е пÑ?оиÑ?Ñ?одÑ?Ñ? из-за пеÑ?еÑ?ода к Ñ?далениÑ? '.' из @INC,
+    Ñ?ледÑ?еÑ? Ñ?ообÑ?аÑ?Ñ? Ñ?опÑ?овождаÑ?Ñ?им Perl по адÑ?еÑ?Ñ?
     perl@packages.debian.org .</p>
 
- -    <p>It is planned to switch to the default removal of '.' in @INC in a
- -    subsequent update to perl via a point release if possible, and in
- -    any case for the upcoming stable release Debian 9 (stretch).</p></li>
+    <p>Ð?ланиÑ?Ñ?еÑ?Ñ?Ñ? по возможноÑ?Ñ?и пеÑ?ейÑ?и по Ñ?молÑ?аниÑ? на Ñ?даление '.' из @INC в
+    Ñ?ледÑ?Ñ?Ñ?иÑ? обновлениÑ?Ñ? perl в Ñ?едакÑ?ии вÑ?пÑ?Ñ?ка, и в лÑ?бом
+    Ñ?лÑ?Ñ?ае Ñ?акой пеÑ?еÑ?од бÑ?деÑ? оÑ?Ñ?Ñ?еÑ?Ñ?влÑ?н в гоÑ?овÑ?Ñ?емÑ?Ñ? Ñ?Ñ?абилÑ?ном вÑ?пÑ?Ñ?ке Debian 9 (stretch).</p></li>
 
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2016-6185";>CVE-2016-6185</a>
 
- -    <p>It was discovered that XSLoader, a core module from Perl to
- -    dynamically load C libraries into Perl code, could load shared
- -    library from incorrect location. XSLoader uses caller() information
- -    to locate the .so file to load. This can be incorrect if
- -    XSLoader::load() is called in a string eval. An attacker can take
- -    advantage of this flaw to execute arbitrary code.</p></li>
+    <p>Ð?Ñ?ло обнаÑ?Ñ?жено, Ñ?Ñ?о XSLoader, базовÑ?й модÑ?лÑ? Perl длÑ?
+    динамиÑ?еÑ?кой загÑ?Ñ?зки C-библиоÑ?ек в Perl-код, можеÑ? загÑ?Ñ?жаÑ?Ñ? Ñ?азделÑ?емÑ?Ñ?
+    библиоÑ?екÑ? из невеÑ?ного меÑ?Ñ?а. XSLoader иÑ?полÑ?зÑ?еÑ? инÑ?оÑ?аÑ?иÑ? caller()
+    длÑ? опÑ?еделениÑ? меÑ?Ñ?а длÑ? загÑ?Ñ?зки Ñ?айла .so. ЭÑ?а инÑ?оÑ?маÑ?иÑ? можеÑ? бÑ?Ñ?Ñ? невеÑ?ной,
+    еÑ?ли XSLoader::load() вÑ?зÑ?ваеÑ?Ñ?Ñ? в коде иÑ?полнениÑ? Ñ?Ñ?Ñ?оки. Ð?лоÑ?мÑ?Ñ?ленник можеÑ?
+    иÑ?полÑ?зоваÑ?Ñ? Ñ?Ñ?Ñ? Ñ?Ñ?звимоÑ?Ñ?Ñ? длÑ? вÑ?полнениÑ? пÑ?оизволÑ?ного кода.</p></li>
 
 </ul>
 
- -<p>For the stable distribution (jessie), these problems have been fixed in
- -version 5.20.2-3+deb8u6. Additionally this update includes the
- -following updated packages to address optional module loading
- -vulnerabilities related to <a href="https://security-tracker.debian.org/tracker/CVE-2016-1238";>CVE-2016-1238</a>, or to address build failures
- -which occur when '.' is removed from @INC:</p>
+<p>Ð? Ñ?Ñ?абилÑ?ном вÑ?пÑ?Ñ?ке (jessie) Ñ?Ñ?и пÑ?облемÑ? бÑ?ли иÑ?пÑ?авленÑ? в
+веÑ?Ñ?ии 5.20.2-3+deb8u6. Ð?Ñ?оме Ñ?ого, данное обновление вклÑ?Ñ?аеÑ? в Ñ?ебÑ?
+Ñ?ледÑ?Ñ?Ñ?ие обновлÑ?ннÑ?е пакеÑ?Ñ? длÑ? Ñ?еÑ?ениÑ? Ñ?Ñ?звимоÑ?Ñ?ей Ñ? загÑ?Ñ?зкой модÑ?лей,
+Ñ?вÑ?заннÑ?Ñ? Ñ? <a href="https://security-tracker.debian.org/tracker/CVE-2016-1238";>CVE-2016-1238</a>,
+либо длÑ? Ñ?еÑ?ениÑ? оÑ?ибок Ñ?боÑ?ки, возникаÑ?Ñ?иÑ? пÑ?и Ñ?далении '.' из @INC:</p>
 
  <p>- cdbs 0.4.130+deb8u1
  - debhelper 9.20150101+deb8u2
@@ -68,7 +69,7 @@
  - libsys-syslog-perl 0.33-1+deb8u1
  - libunicode-linebreak-perl 0.0.20140601-2+deb8u2</p>
 
- -<p>We recommend that you upgrade your perl packages.</p>
+<p>РекомендÑ?еÑ?Ñ?Ñ? обновиÑ?Ñ? пакеÑ?Ñ? perl.</p>
 </define-tag>
 
 # do not modify the following line
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXlk/VAAoJEF7nbuICFtKlPvAQAJFzWGGMm27OLoxeIxa+3Na9
1O9OdYYFwqE9q7LTKOokJKvLjFw5R2VhwpbeiDZMxmz/ZZZFejaxSsByYrJn2Uma
5SVWJytTTOLtRN8+V0M54PwzChmlHuwycX9RZXIyvMOrNc6HgIHvgaELdILSOr5a
j25r+7nZS5waWZ1ctejPEUXHnJ1ZxbdyIH0KvFfB19gqcLOvW186SUuUQhAqDMhJ
SCOXbq/Rp+ZrPrEisVnz+YMSyoGbVI8uQJjqonQbi1ljMmE9PyZqvKS5WrohgWHI
LGeMYKfQ6OabhVwVAhFMwCQtQ6R3zhfodjm7TCeIKVS4lAeMQh/zD87sxVyN0Qho
ho9L7Z5f6S10x56fCZqoNIJXbPNMI/6B4A7vHFD+3f7QXkbLpq1uEcd+wIfvIYrO
Kh1uo2u5But0RiXh2StEVKxMglq9hAxjFf6u87b/wOxmBhWaNvhXtjvdvPEL0J2D
B5CMg+dlr8i9USPzIKvAJ3wWtQUlxqChkP1ABWShw/FnLw/gsCawwR5r3OYe5kNS
LsbRWFK+ozppnI9noxFRRLWkvvpEql1/JgLyhlovY1XZz/slat+4BDkvsQOs9SM8
dKHozlbUzNr1IfnWBj7a0bmv5KNvuOiZefToItbBwxYsrGTm1FTXJN4C0g8i/DKP
O1EgH1Ay9Pfxg/F5Ju+k
=R3/U
-----END PGP SIGNATURE-----
Reply to: