Skip Menu |
 

This queue is for tickets about the Perl-Dist-Strawberry CPAN distribution.

Report information
The Basics
Id: 130689
Status: rejected
Priority: 0/
Queue: Perl-Dist-Strawberry

People
Owner: Nobody in particular
Requestors: biejunh [...] cn.ibm.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Attachments
static Strawberry Perl (32_64) 20190925_16_05_20191010_14_46_57.html



Subject: security vulnerabilities discovered on Strawberry Perl 5.30.0.1 and some Perl modules
Date: Fri, 11 Oct 2019 14:43:11 +0000
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: "Jun Hua Bie" <biejunh [...] cn.ibm.com>
Download (untitled) / with headers
text/plain 800b
Hello Strawberry Perl bug team, We are using Strawberry Perl 5.30.0.1 and some CPAN modules on our application, according to company's security policy, we ran static code scanning for these open source code, but some security vulnerabilities are discovered during scanning. Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 Ungrouped File Open Mode Is User Modifiable (AccessControl.Bypass, CWE-288) 4 For the details, please refer to following reporting: Do you have any solution to fix these security issues ? It is very urgent for us to fix these issues for our project, could you take it as high priority ? Thanks in advance ! Best Regards, Jun Hua Bie Senior IT Specialist Global Technical Service IBM Service Mobile: +86-138-2370-2390 mailto:biejunh@cn.ibm.com

Message body is not shown because sender requested not to inline it.

Download (untitled) / with headers
text/plain 969b
On Fri Oct 11 16:25:13 2019, biejunh@cn.ibm.com wrote: Show quoted text
> Hello Strawberry Perl bug team, > > We are using Strawberry Perl 5.30.0.1 and some CPAN modules on our > application, according to company's security policy, we ran static code > scanning for these open source code, but some security vulnerabilities are > discovered during scanning. > Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 > Ungrouped File Open Mode Is User Modifiable (AccessControl.Bypass, > CWE-288) 4 > > For the details, please refer to following reporting: > > > > Do you have any solution to fix these security issues ? It is very > urgent for us to fix these issues for our project, could you take it as > high priority ? > Thanks in advance ! > > Best Regards, > Jun Hua Bie > Senior IT Specialist > Global Technical Service > IBM Service > Mobile: +86-138-2370-2390 > mailto:biejunh@cn.ibm.com >
Related: https://rt.cpan.org/Ticket/Display.html?id=130688
Download (untitled) / with headers
text/plain 385b
None of these are core modules, so they are out of scope of the Strawberry perl port, or of perl core itself. They should be reported to the individual module authors. e.g. AnyEvent::Util -- report to the issue queue documented at https://metacpan.org/pod/AnyEvent::Util (left sidebar) other modules listed (several times each): Win32API::File Net::SSLeay::Handle AnyEvent::Handle


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.