Need discussion, Re: Latest contrib perl

Michael Mansour mic at npgx.com.au
Tue Dec 27 08:48:56 UTC 2005 

Hi,

> > Hi,
> > 
> > I'm trying to apply the latest contrib perl from:
> > 
> > http://www.fedoralegacy.org/contrib/perl/
> > 
> > namely:
> > 
> > perl-5.8.3-19.2.legacy.i386.rpm
> > perl-suidperl-5.8.3-19.2.legacy.i386.rpm
> > 
> > but I get the following result:
> > 
> > # rpm -Uvh perl-suidperl-5.8.3-19.2.legacy.i386.rpm
> > perl-5.8.3-19.2.legacy.i386.rpm
> > warning: perl-suidperl-5.8.3-19.2.legacy.i386.rpm: Header V3 DSA signature:
> > NOKEY, key ID 5740edab
> > error: Failed dependencies:
> >         libdb-4.2.so is needed by perl-5.8.3-19.2.legacy.i386
> > 
> > Where can I get libdb-4.2.so from?
> > 
> > When I check via yum whatprovides, I can find everything except 4.2.
> > 
> > Thanks.
> > 
> > Michael.
> 
> What version of Linux are you using, Michael?  The

I'm using FC1.

> perl-5.8.3-19.2.legacy.i386.rpm series as posted to
> fedoralegacy.org/contrib is a pre-testing Legacy version of Perl compiled
> for use with Fedora Core 2.  I was thinking you use Fedora Core 1.
> 
> You may wish to check Bugzilla bug # 152845 at
> 
>    <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152845>
> 
> to make sure you're downloading the binaries for the Distro you are
> running.  Assuming binaries are available there.  (If you're running 
> FC1, I have binaries at home on my system I can upload there that 
> match the FC1 sources, if you want to use them.  I've only uploaded 
> the FC1 sources
> (perl-5.8.3-17.3.legacy.src.rpm) there.  But you may want to wait 

The perl versions I'm currently using on FC1 are from that directory:

# rpm -q perl perl-suidperl
perl-5.8.3-18.1.legacy
perl-suidperl-5.8.3-18.1.legacy

I was unaware that they may have been built for FC2. But either way I needed
to upgrade as I was getting hacked at the time through perl exploits and those
contrib perl's were protecting my system.

> for the version of Perl for your OS Distro being built now that 
> should be pushed to updates-testing in a day or two.)

Yeah I don't mind waiting, but I'm concerned that waiting (like I did before)
would just invite hackers in. I have very good protection for alot of hacks
and use things like nessus, blacklists, etc to monitor and protect my
environment, but from the last hack attempt where they were successful, I just
can't be too careful and see prevention being much better than fixing later.

> Remember, Michael.  The binary (and source!) packages published at
> <http://fedoralegacy.org/contrib/> have not been through full QA.  
> You use them AT YOUR OWN RISK!

Yes I understand that and am aware of it, but sometimes it's still worthwhile
implementing them and fixing whatever they break than getting hacked.

> NEW PERL BUGZILLA TICKET NEEDED?
> --- ---- -------- ------ -------
> 
> I think we need to open a new Bug report for the more recent Perl
> vulnerability(ies), CVE-2005-3962, "Integer overflow in the format string
> functionality...."  Either that, or we need to add the fixes for 
> this CVE to the current Perl Bugzilla 152845 that we are working on 
> (and get some participation in QA'ing it!!!).  Would appreciate your 
> (and everyone's!) opinion on this, Michael.
> 
> Because of low interest (or low prioritization for doing QA work) by
> participants of the Fedora Legacy Project for Perl, the Perl bug # 152845
> has been open for more than a year and gotten rather long in the tooth:
> However, it has over that year accumulated a lot of important 
> Security fixes.  Just not yet CVE-2005-3962 (which is rated moderate 
> security impact by the Red Hat Security Response Team) ...
> 
> I am in the process of building (for updates-testing) binary Perl packages
> that have passed our PUBLISH QA in that bug (for all Security issues 
> we know of except for CVE-2005-3962) on Fedora Legacy's build server,
>  and I hope we can have test packages pushed to updates-testing 
> within a day or two.  But we can stop this process and fold in 
> updates for CVE-2005-3962 if it is felt that it is necessary to do 
> so at this point.
> 
> My fear is, if we *DO* stop the build process to fold in CVE-2005-
> 3962 for the vulnerable distro's, it will be yet another year before 
> we get the necessary QA for Perl's source rpms so we can build for 
> updates-testing, let alone push to updates!
> 
> Whatever we decide to do, your QA on upcoming binary packages will 
> be most warmly accepted.  :)

I'm more than happy to do this, as I run production FC1/FC2/FC3 servers, and
have duplicates in test which I can apply on before I move them into production.

Thanks for your comments mate and when you do publish the latest FC1 perl
RPMs, I'll be sure to keep an eye out on this list to test them.

Michael.

> Thanks.	
> 
> 	Warm regards,
> 	David Eisenstein
> 
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-legacy-list
------- End of Original Message -------

More information about the fedora-legacy-list mailing list