Fedora 27: 2018-59eb033684 Moderate: perl-Dancer2 Remote Code Execution

Dancer2 is the new generation of Dancer, the lightweight web-framework for

Perl. It is a complete rewrite based on Moo and is meant to be easy and fun.

Dancer2 0.206000 addresses several potential security issues. There is a

potential RCE with regards to Storable. Dancer2 adds session ID validation to

the session engine so that session backends based on Storable can reject

malformed session IDs that may lead to exploitation of the RCE. Parsing

requests now uses HTTP::Entity::Parser which reduces the amount of code needed

and does not require re-parsing the request body.

* Sun Apr 22 2018 Emmanuel Seyman - 0.206000-1

- Update to 0.206000

* Sun Dec 17 2017 Emmanuel Seyman - 0.205002-2

- Disable dancer2's phone-home capabilities (#1521155)

* Wed Oct 18 2017 Jitka Plesnikova - 0.205002-1

- 0.205002 bump

[ 1 ] Bug #1569981 - perl-Dancer2-0.206000 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1569981

su -c 'dnf upgrade --advisory FEDORA-2018-59eb033684' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org