Need discussion, Re: Latest contrib perl

Tue Dec 27 06:14:59 UTC 2005

On Tue, 27 Dec 2005, Michael Mansour wrote:

> Hi,
> 
> I'm trying to apply the latest contrib perl from:
> 
> http://www.fedoralegacy.org/contrib/perl/
> 
> namely:
> 
> perl-5.8.3-19.2.legacy.i386.rpm
> perl-suidperl-5.8.3-19.2.legacy.i386.rpm
> 
> but I get the following result:
> 
> # rpm -Uvh perl-suidperl-5.8.3-19.2.legacy.i386.rpm
> perl-5.8.3-19.2.legacy.i386.rpm
> warning: perl-suidperl-5.8.3-19.2.legacy.i386.rpm: Header V3 DSA signature:
> NOKEY, key ID 5740edab
> error: Failed dependencies:
>         libdb-4.2.so is needed by perl-5.8.3-19.2.legacy.i386
> 
> Where can I get libdb-4.2.so from?
> 
> When I check via yum whatprovides, I can find everything except 4.2.
> 
> Thanks.
> 
> Michael.

What version of Linux are you using, Michael?  The
perl-5.8.3-19.2.legacy.i386.rpm series as posted to
fedoralegacy.org/contrib is a pre-testing Legacy version of Perl compiled
for use with Fedora Core 2.  I was thinking you use Fedora Core 1.

You may wish to check Bugzilla bug # 152845 at

   <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152845>

to make sure you're downloading the binaries for the Distro you are
running.  Assuming binaries are available there.  (If you're running FC1,
I have binaries at home on my system I can upload there that match the FC1
sources, if you want to use them.  I've only uploaded the FC1 sources
(perl-5.8.3-17.3.legacy.src.rpm) there.  But you may want to wait for the
version of Perl for your OS Distro being built now that should be pushed
to updates-testing in a day or two.)

Remember, Michael.  The binary (and source!) packages published at
<http://fedoralegacy.org/contrib/> have not been through full QA.  You use
them AT YOUR OWN RISK!

NEW PERL BUGZILLA TICKET NEEDED?
--- ---- -------- ------ -------

I think we need to open a new Bug report for the more recent Perl
vulnerability(ies), CVE-2005-3962, "Integer overflow in the format string
functionality...."  Either that, or we need to add the fixes for this CVE
to the current Perl Bugzilla 152845 that we are working on (and get some
participation in QA'ing it!!!).  Would appreciate your (and everyone's!)
opinion on this, Michael.

Because of low interest (or low prioritization for doing QA work) by
participants of the Fedora Legacy Project for Perl, the Perl bug # 152845
has been open for more than a year and gotten rather long in the tooth:
However, it has over that year accumulated a lot of important Security
fixes.  Just not yet CVE-2005-3962 (which is rated moderate security
impact by the Red Hat Security Response Team) ...

I am in the process of building (for updates-testing) binary Perl packages
that have passed our PUBLISH QA in that bug (for all Security issues we
know of except for CVE-2005-3962) on Fedora Legacy's build server, and I
hope we can have test packages pushed to updates-testing within a day or
two.  But we can stop this process and fold in updates for CVE-2005-3962
if it is felt that it is necessary to do so at this point.  

My fear is, if we *DO* stop the build process to fold in CVE-2005-3962 for
the vulnerable distro's, it will be yet another year before we get the
necessary QA for Perl's source rpms so we can build for updates-testing,
let alone push to updates!

Whatever we decide to do, your QA on upcoming binary packages will be most
warmly accepted.  :)

Thanks.	

	Warm regards,
	David Eisenstein