[ubuntu-hardened] Fwd: Re: [USN-4503-1] Perl DBI module vulnerability
pali at cpan.org
pali at cpan.org
Wed Oct 14 12:10:32 UTC 2020
On Wednesday 14 October 2020 07:45:10 Marc Deslauriers wrote:
> > 3) That Ubuntu fix is INCOMPLETE, do nothing and is basically useless.
> > It does *NOT* fix issue which Ubuntu described in that USN or in CVE
> > description.
>
> So are you saying the original commit is incomplete to fix that particular CVE,
> or that that particular CVE should be rejected?
Original commit is complete. Ubuntu patch is incomplete, look below:
> >
> > If you look at the code in that diff, it changes just C include file
> > Driver.xst. It does not affect, nor fix any compiled DBD driver.
> >
> > So to apply that fix you first need to update that DBI include file
> > Driver.xst and then recompile every one DBD driver, as DBD drivers
> > during compilation create private copy of Driver.xst and compile it.
> >
> > This is how DBI and DBD driver are building and after updating DBI
> > Driver.xst file, it is required to recompile every DBD driver. Otherwise
> > nothing would be changed.
> >
> >
> > So the result is that updated Ubuntu packages do not fix issue which
> > they describe in USN and CVE.
> >
You have not updated/recompiled any DBD driver, therefore you have not
fixed anything.
More information about the ubuntu-hardened
mailing list