LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

openSUSE alert openSUSE-SU-2013:1185-1 (perl-Module-Signature)



From:
    	      opensuse-security@opensuse.org 


To:
    	      opensuse-updates@opensuse.org 


Subject:
    	      openSUSE-SU-2013:1185-1: moderate: perl-Module-Signature 


Date:
    	      Fri, 12 Jul 2013 09:04:11 +0200 (CEST)


Message-ID:
    	      <20130712070411.7D930321EA@maintenance.suse.de>


Archive-link:
    	      Article, Thread
              


   openSUSE Security Update: perl-Module-Signature

______________________________________________________________________________



Announcement ID:    openSUSE-SU-2013:1185-1

Rating:             moderate

References:         #828010 

Cross-References:   CVE-2013-2145

Affected Products:

                    openSUSE 11.4

______________________________________________________________________________



   An update that fixes one vulnerability is now available.



Description:





   perl-Module-Signature was updated to 0.73, fixing bugs and

   security issues:



   Security fix for code execution in signature checking:

   * fix for bnc#828010 (CVE-2013-2145)

   * Properly redo the previous fix using

   File::Spec->file_name_is_absolute.



   - [Changes for 0.72 - Wed Jun  5 23:19:02 CST 2013]

   * Only allow loading Digest::* from absolute paths in

   @INC, by ensuring they begin with \ or / characters.

   Contributed by: Florian Weimer (CVE-2013-2145)

   - [Changes for 0.71 - Tue Jun  4 18:24:10 CST 2013]

   * Constrain the user-specified digest name to /^\w+\d+$/.

   * Avoid loading Digest::* from relative paths in @INC.

   Contributed by: Florian Weimer (CVE-2013-2145)

   - [Changes for 0.70 - Thu Nov 29 01:45:54 CST 2012]

   * Don't check gpg version if gpg does not exist. This

   avoids unnecessary warnings during installation when

   gpg executable is not installed. Contributed by:

   Kenichi Ishigaki

   - [Changes for 0.69 - Fri Nov  2 23:04:19 CST 2012]

   * Support for gpg under these alternate names: gpg gpg2

   gnupg gnupg2 Contributed by: Michael Schwern

   - [Changes for 0.68 - Wed Dec 14 12:14:47 UTC 2011]

   * Fix breakage introduced by 0.67 (Andreas König).

   * Better handling of \r (Andreas König, Zefram)





Patch Instructions:



   To install this openSUSE Security Update use YaST online_update.

   Alternatively you can run the command listed for your product:



   - openSUSE 11.4:



      zypper in -t patch 2013-108



   To bring your system up-to-date, use "zypper patch".





Package List:



   - openSUSE 11.4 (noarch):



      perl-Module-Signature-0.73-9.1





References:



   http://support.novell.com/security/cve/CVE-2013-2145.html

   https://bugzilla.novell.com/828010
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds