plperl security - Mailing list pgsql-hackers

From Andrew Dunstan
Subject plperl security
Date
Msg-id 40E994BD.1090504@dunslane.net
Whole thread Raw
Responses Re: [Plperlng-devel] plperl security
Re: plperl security
List pgsql-hackers
There is a known security issue with the perl Safe module versions up to 
and including 2.07 (and 2.08 had a life of 1 day before 2.09 was 
released). see

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323

Currently we have this in plperl.c: "require Safe;"

I am thinking of submitting a patch to replace this with "use Safe 
2.09;" to enforce use of a version without the known vulnerability.

Any objections?

cheers

andrew




pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: strange bug in plperl
Next
From: "Joshua D. Drake"
Date:
Subject: Re: [Plperlng-devel] plperl security