openSUSE Security Update: perl-Module-Signature ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1185-1 Rating: moderate References: #828010 Cross-References: CVE-2013-2145 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: perl-Module-Signature was updated to 0.73, fixing bugs and security issues: Security fix for code execution in signature checking: * fix for bnc#828010 (CVE-2013-2145) * Properly redo the previous fix using File::Spec->file_name_is_absolute. - [Changes for 0.72 - Wed Jun 5 23:19:02 CST 2013] * Only allow loading Digest::* from absolute paths in @INC, by ensuring they begin with \ or / characters. Contributed by: Florian Weimer (CVE-2013-2145) - [Changes for 0.71 - Tue Jun 4 18:24:10 CST 2013] * Constrain the user-specified digest name to /^\w+\d+$/. * Avoid loading Digest::* from relative paths in @INC. Contributed by: Florian Weimer (CVE-2013-2145) - [Changes for 0.70 - Thu Nov 29 01:45:54 CST 2012] * Don't check gpg version if gpg does not exist. This avoids unnecessary warnings during installation when gpg executable is not installed. Contributed by: Kenichi Ishigaki - [Changes for 0.69 - Fri Nov 2 23:04:19 CST 2012] * Support for gpg under these alternate names: gpg gpg2 gnupg gnupg2 Contributed by: Michael Schwern - [Changes for 0.68 - Wed Dec 14 12:14:47 UTC 2011] * Fix breakage introduced by 0.67 (Andreas König). * Better handling of \r (Andreas König, Zefram) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-108 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (noarch): perl-Module-Signature-0.73-9.1 References: http://support.novell.com/security/cve/CVE-2013-2145.html https://bugzilla.novell.com/828010