openSUSE Security Update: perl-Module-Signature ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1178-1 Rating: moderate References: #828010 Cross-References: CVE-2013-2145 Affected Products: openSUSE 12.3 openSUSE 12.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: perl-Module-Signature was updated to 0.73, fixing bugs and security issues: Security fix for code execution in signature checking: * fix for bnc#828010 (CVE-2013-2145) * Properly redo the previous fix using File::Spec->file_name_is_absolute. - [Changes for 0.72 - Wed Jun 5 23:19:02 CST 2013] * Only allow loading Digest::* from absolute paths in @INC, by ensuring they begin with \ or / characters. Contributed by: Florian Weimer (CVE-2013-2145) - [Changes for 0.71 - Tue Jun 4 18:24:10 CST 2013] * Constrain the user-specified digest name to /^\w+\d+$/. * Avoid loading Digest::* from relative paths in @INC. Contributed by: Florian Weimer (CVE-2013-2145) - [Changes for 0.70 - Thu Nov 29 01:45:54 CST 2012] * Don't check gpg version if gpg does not exist. This avoids unnecessary warnings during installation when gpg executable is not installed. Contributed by: Kenichi Ishigaki - [Changes for 0.69 - Fri Nov 2 23:04:19 CST 2012] * Support for gpg under these alternate names: gpg gpg2 gnupg gnupg2 Contributed by: Michael Schwern Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-573 - openSUSE 12.2: zypper in -t patch openSUSE-2013-573 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (noarch): perl-Module-Signature-0.73-4.4.1 - openSUSE 12.2 (noarch): perl-Module-Signature-0.73-2.4.1 References: http://support.novell.com/security/cve/CVE-2013-2145.html https://bugzilla.novell.com/828010