> I've not seen much (any?) traffic on this list recently. Is this list still > alive?
The DBI is very, um, stable. > Is there a new release of DBI with the fix in place that I missed? Yes, 1.643. It's not made very clear though. CVE-2020-14392 <https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14392.html> says "An untrusted pointer dereference flaw was found in Perl-DBI < 1.643" (note the "<") The changes <https://metacpan.org/changes/distribution/DBI> for the 1.643 release include several fixes from Pali and Petr. (Thanks!) Tim. > On 16 Sep 2020, at 18:25, Jonathan Leffler <jonathan.leff...@gmail.com> wrote: > > I've not seen much (any?) traffic on this list recently. Is this list still > alive? > > This message arrived from Canonical/Ubuntu about a fixed bug in DBI — > numerous versions thereof (1.640, 1.634, 1.630, 1.616). > > Is there a new release of DBI with the fix in place that I missed? > > > ---------- Forwarded message --------- > From: Leonidas S. Barbosa <leo.barb...@canonical.com > <mailto:leo.barb...@canonical.com>> > Date: Wed, Sep 16, 2020 at 8:15 AM > Subject: [USN-4503-1] Perl DBI module vulnerability > To: <ubuntu-security-annou...@lists.ubuntu.com > <mailto:ubuntu-security-annou...@lists.ubuntu.com>> > > > ========================================================================== > Ubuntu Security Notice USN-4503-1 > September 16, 2020 > > libdbi-perl vulnerability > ========================================================================== > > A security issue affects these releases of Ubuntu and its derivatives: > > - Ubuntu 18.04 LTS > - Ubuntu 16.04 LTS > - Ubuntu 14.04 ESM > - Ubuntu 12.04 ESM > > Summary: > > Perl DBI module could be made to execute arbitrary code if it received a > specially manipulated call. > > Software Description: > - libdbi-perl: Perl Database Interface (DBI) > > Details: > > It was discovered that Perl DBI module incorrectly handled certain calls. > An attacker could possibly use this issue to execute arbitrary code. > > Update instructions: > > The problem can be corrected by updating your system to the following > package versions: > > Ubuntu 18.04 LTS: > libdbi-perl 1.640-1ubuntu0.1 > > Ubuntu 16.04 LTS: > libdbi-perl 1.634-1ubuntu0.1 > > Ubuntu 14.04 ESM: > libdbi-perl 1.630-1ubuntu0.1~esm1 > > Ubuntu 12.04 ESM: > libdbi-perl 1.616-1ubuntu0.1 > > In general, a standard system update will make all the necessary changes. > > References: > https://usn.ubuntu.com/4503-1 <https://usn.ubuntu.com/4503-1> > CVE-2020-14392 > > Package Information: > https://launchpad.net/ubuntu/+source/libdbi-perl/1.640-1ubuntu0.1 > <https://launchpad.net/ubuntu/+source/libdbi-perl/1.640-1ubuntu0.1> > https://launchpad.net/ubuntu/+source/libdbi-perl/1.634-1ubuntu0.1 > <https://launchpad.net/ubuntu/+source/libdbi-perl/1.634-1ubuntu0.1> > -- > ubuntu-security-announce mailing list > ubuntu-security-annou...@lists.ubuntu.com > <mailto:ubuntu-security-annou...@lists.ubuntu.com> > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce > <https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce> > > > -- > Jonathan Leffler <jonathan.leff...@gmail.com > <mailto:jonathan.leff...@gmail.com>> #include <disclaimer.h> > Guardian of DBD::Informix - v2018.1031 - http://dbi.perl.org > <http://dbi.perl.org/> > "Blessed are we who can laugh at ourselves, for we shall never cease to be > amused." > <signature.asc>
