{"update": {"autokarma": true, "autotime": false, "stable_karma": 3, "stable_days": 0, "unstable_karma": -3, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "Dancer2 0.206000 addresses several potential security issues.\n\nThere is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE.\n\nParsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed and does not require re-parsing the request body.", "type": "security", "status": "stable", "request": null, "severity": "medium", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": false, "critpath_groups": null, "close_bugs": true, "date_submitted": "2018-04-29 15:29:14", "date_modified": null, "date_approved": null, "date_testing": "2018-04-30 14:16:36", "date_stable": "2018-05-10 19:15:17", "alias": "FEDORA-2018-59eb033684", "test_gating_status": "passed", "from_tag": null, "date_pushed": "2018-05-10 19:15:17", "meets_testing_requirements": true, "url": "https://bodhi.stg.fedoraproject.org/updates/FEDORA-2018-59eb033684", "title": "perl-Dancer2-0.206000-1.fc27", "version_hash": "fc2068675d8addf24ba2b0136d5f063ff187e556", "release": {"name": "F27", "long_name": "Fedora 27", "version": "27", "id_prefix": "FEDORA", "branch": "f27", "dist_tag": "f27", "stable_tag": "f27-updates", "testing_tag": "f27-updates-testing", "candidate_tag": "f27-updates-candidate", "pending_signing_tag": "f27-signing-pending", "pending_testing_tag": "f27-updates-testing-pending", "pending_stable_tag": "f27-updates-pending", "override_tag": "f27-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": null, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "eseyman", "email": "emmanuel@seyman.fr", "id": 608, "avatar": "https://seccdn.libravatar.org/avatar/167fb8c3c1ce76fb7df2b702707e7483a1c3c1d699c8e307dac76ef0eb1e6393?s=24&d=retro", "openid": "eseyman.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "perl-maint-sig"}, {"name": "advocates"}, {"name": "trust admins"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by eseyman. ", "timestamp": "2018-04-29 15:29:14", "update_id": 114120, "user_id": 91, "id": 775194, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "What are the CVE IDs for these security issues?", "timestamp": "2018-04-30 09:25:50", "update_id": 114120, "user_id": 207, "id": 775585, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "anonymous", "email": null, "id": 207, "avatar": "https://seccdn.libravatar.org/avatar/37a8eec1ce19687d132fe29051dca629d164e2c4958ba141d5f4133a33f0688f?s=24&d=retro", "openid": "anonymous.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "There are no CVEs. All I've got are the changelog and the two pull requests on Github.\n\nhttp://cpansearch.perl.org/src/CROMEDOME/Dancer2-0.206000/Changes\nhttps://github.com/PerlDancer/Dancer2/pull/1434\nhttps://github.com/PerlDancer/Dancer2/pull/1406", "timestamp": "2018-04-30 11:44:39", "update_id": 114120, "user_id": 608, "id": 775624, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "eseyman", "email": "emmanuel@seyman.fr", "id": 608, "avatar": "https://seccdn.libravatar.org/avatar/167fb8c3c1ce76fb7df2b702707e7483a1c3c1d699c8e307dac76ef0eb1e6393?s=24&d=retro", "openid": "eseyman.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "perl-maint-sig"}, {"name": "advocates"}, {"name": "trust admins"}]}}, {"karma": 0, "karma_critpath": 0, "text": "@eseyman I've had a look into all changes referenced in the versions v0.206000_02 and v0.206000, however I could not identify the potential RCE flaw. Could you be more specific about this? Also I do not understand the security concerns regarding the two pull requests you mentioned. Thank you for your effort!", "timestamp": "2018-04-30 12:45:10", "update_id": 114120, "user_id": 3997, "id": 775637, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "muench", "email": "muench@dfn-cert.de", "id": 3997, "avatar": "https://seccdn.libravatar.org/avatar/2ec536f3ae1330bfa0806331010f27704f1b66ad924ce518329a213d77faf96c?s=24&d=retro", "openid": "muench.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2018-04-30 14:18:11", "update_id": 114120, "user_id": 91, "id": 775676, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "> Could you be more specific about this?\n\nThe information comes from [the announcement on the dancer-users list](http://lists.preshweb.co.uk/pipermail/dancer-users/2018-April/005952.html).\n", "timestamp": "2018-04-30 14:28:15", "update_id": 114120, "user_id": 608, "id": 775679, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "eseyman", "email": "emmanuel@seyman.fr", "id": 608, "avatar": "https://seccdn.libravatar.org/avatar/167fb8c3c1ce76fb7df2b702707e7483a1c3c1d699c8e307dac76ef0eb1e6393?s=24&d=retro", "openid": "eseyman.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "ambassadors"}, {"name": "perl-maint-sig"}, {"name": "advocates"}, {"name": "trust admins"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes", "timestamp": "2018-05-07 18:00:23", "update_id": 114120, "user_id": 91, "id": 780258, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for batched by eseyman. ", "timestamp": "2018-05-07 18:41:54", "update_id": 114120, "user_id": 91, "id": 780279, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by bodhi. ", "timestamp": "2018-05-08 03:01:56", "update_id": 114120, "user_id": 91, "id": 780517, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "perl-Dancer2-0.206000-1.fc27 ejected from the push because u\"Cannot find relevant tag for perl-Dancer2-0.206000-1.fc27.  None of ['f27-updates', 'f27-updates-pending'] are in [u'f22-updates-testing', u'dist-6E-epel-testing', u'f21-updates-testing', u'f25-updates-testing', u'f24-updates-testing', u'epel7-testing', u'f27-modular-updates-testing', u'dist-5E-epel-testing', u'f23-updates-testing', u'f26-updates-testing', u'f28-updates-testing', u'f27-updates-testing', u'f28-modular-updates-testing'].\"", "timestamp": "2018-05-10 04:45:59", "update_id": 114120, "user_id": 91, "id": 781600, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for batched by eseyman. ", "timestamp": "2018-05-10 08:46:34", "update_id": 114120, "user_id": 91, "id": 781683, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by eseyman. ", "timestamp": "2018-05-10 08:46:45", "update_id": 114120, "user_id": 91, "id": 781684, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "perl-Dancer2-0.206000-1.fc27 ejected from the push because u\"Cannot find relevant tag for perl-Dancer2-0.206000-1.fc27.  None of ['f27-updates', 'f27-updates-pending'] are in [u'f22-updates-testing', u'dist-6E-epel-testing', u'f21-updates-testing', u'f25-updates-testing', u'f24-updates-testing', u'epel7-testing', u'f27-modular-updates-testing', u'dist-5E-epel-testing', u'f23-updates-testing', u'f26-updates-testing', u'f28-updates-testing', u'f27-updates-testing', u'f28-modular-updates-testing'].\"", "timestamp": "2018-05-10 14:10:17", "update_id": 114120, "user_id": 91, "id": 781907, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been marked stable administratively. See https://pagure.io/fedora-infrastructure/issue/6925", "timestamp": "2018-05-10 19:15:17", "update_id": 114120, "user_id": 2897, "id": 782072, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bowlofeggs", "email": "randy@electronsweatshop.com", "id": 2897, "avatar": "https://seccdn.libravatar.org/avatar/74e6735e7dfd745bcd1aba3f64ead2d32631373aae819d812c28f339c5700ed8?s=24&d=retro", "openid": "bowlofeggs.id.stg.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "provenpackager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "communishift"}, {"name": "atomic-wg"}, {"name": "erlang"}, {"name": "erlang-maint-sig"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2018-05-10 19:15:21", "update_id": 114120, "user_id": 91, "id": 782073, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.stg.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "perl-Dancer2-0.206000-1.fc27", "signed": true, "release_id": 17, "type": "rpm", "epoch": 0}], "bugs": [{"bug_id": 1569981, "title": "perl-Dancer2-0.206000 is available", "security": false, "parent": false, "feedback": []}], "updateid": "FEDORA-2018-59eb033684", "karma": 0, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}