-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:136 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : perl Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated perl package fixes security vulnerability: The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function (CVE-2014-4330). Also, the Text::Wrap version provided in perl contains a bug that can lead to a code path that shouldn't be hit. This can lead to crashes in other software, such as Bugzilla. The Text::Wrap module bundled with Perl has been patched and the Data::Dumper module bundled with Perl has been updated to fix these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330 http://advisories.mageia.org/MGASA-2014-0406.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: ad6ebe7e5f8290c6c89508c41d5a85e8 mbs2/x86_64/perl-5.18.1-5.1.mbs2.x86_64.rpm c3d5a28dd7d7d8d361fd39b635f11887 mbs2/x86_64/perl-base-5.18.1-5.1.mbs2.x86_64.rpm 9ac3d8166eda134e3ea3d08ebdec1754 mbs2/x86_64/perl-devel-5.18.1-5.1.mbs2.x86_64.rpm ee9cb33c6d571d0c89c38835ceb292fd mbs2/x86_64/perl-doc-5.18.1-5.1.mbs2.noarch.rpm 9991fca1f7669cf7518928625e3a26de mbs2/SRPMS/perl-5.18.1-5.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF9CZmqjQ0CJFipgRAsyRAJ965bvaZOasxaS94oyuuL//LbqvKACfa/Kz vGic6TWIFAF95mYbYpXVHE4= =/hb4 -----END PGP SIGNATURE-----