Bug#973342: buster-pu: package libdbi-perl/1.642-1+deb10u2

To: Xavier Guimard <yadd@debian.org>
Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 973342@bugs.debian.org
Subject: Bug#973342: buster-pu: package libdbi-perl/1.642-1+deb10u2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 3 Dec 2020 21:50:42 +0100
Message-id: <[🔎] X8lPopq1BQ5GQNlG@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 973342@bugs.debian.org
In-reply-to: <afbab45345864bfa011b75ccc6d1bac96b73aab5.camel@adam-barratt.org.uk>
References: <160395379047.1285908.3523946704791748149.reportbug@deb007.xnr.fr> <160395379047.1285908.3523946704791748149.reportbug@deb007.xnr.fr> <afbab45345864bfa011b75ccc6d1bac96b73aab5.camel@adam-barratt.org.uk> <160395379047.1285908.3523946704791748149.reportbug@deb007.xnr.fr>

Hi Xavier,

On Sun, Nov 22, 2020 at 06:14:05PM +0000, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Thu, 2020-10-29 at 07:43 +0100, Xavier Guimard wrote:
> > libdbi-perl is still vulnerable to CVE-2014-10401: DBD::File drivers
> > can open files from folders other than those specifically passed via
> > the f_dir attribute.
> 
> +  * lib/DBD/File.pm: fix CVE-2014-10401 (Closes: #972180)
> 
> That bug report claims to be related to CVE-2014-1040*2*, which is the
> result of an incomplete initial fix for CVE-2014-10401.
> 
> That seems worth clarifying, but in any case please go ahead.

Xavier, can you upload it? It won't make it though for 10.7 but can be
batched then for the next one.

Many thanks for your work!

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#973342: buster-pu: package libdbi-perl/1.642-1+deb10u2
  - From: Xavier <yadd@debian.org>

Prev by Date: Bug#976344: marked as done (RM: ruby-diaspora-federation/0.2.6-2)
Next by Date: Bug#975874: buster-pu: package openjdk-11/11.0.9.1+1-1~deb10u1
Previous by thread: Bug#976344: marked as done (RM: ruby-diaspora-federation/0.2.6-2)
Next by thread: Bug#973342: buster-pu: package libdbi-perl/1.642-1+deb10u2
Index(es):
- Date
- Thread