Re: [Koha] SECURITY release: MARC::File::XML 1.0.2
At 10:32 AM 1/21/2014 -0800, Galen Charlton wrote:
Hi,
I have uploaded [1] version 1.0.2 of MARC::File::XML, a Perl module which is used by Koha. This is a security release that repairs an XML external entity (XXE) vulnerability. [snip]
Hi Galen - I've been keeping an eye open for this release for Ubuntu 12.04 LTS. After an 'update' I felt fairly comfortable as it showed 1.0.2, but digging deeper, I find: me@hardy:/$ sudo apt-cache show libmarc-xml-perl Package: libmarc-xml-perl Version: 1.0.2-1koha1 Architecture: all Maintainer: Robin Sheat <robin@catalyst.net.nz> [snip] Package: libmarc-xml-perl Priority: optional Section: universe/perl Installed-Size: 108 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> Original-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Architecture: all Version: 0.92-1 [snip] Could you please advise on 1.0.2 versus 0.92-1 -- the devil is always in the details. btw, it updated the sandbox seamlessly; as soon as I can find a cataloguer to "give it a whirl", I'll do the production box -- unless you can point me to any particular detail that would verify full functionality. Many thanks and best regards -- Paul
Hi, On Wed, Jan 22, 2014 at 3:15 PM, Paul A <paul.a@navalmarinearchive.com> wrote:
Could you please advise on 1.0.2 versus 0.92-1 -- the devil is always in the details.
All versions of MARC::File::XML prior to 1.0.2 are subject to the vulnerability, including the Debian- and Ubuntu-packaged 0.92-1. I recommend that you proceed with updating libmarc-xml-perl. Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: gmc@esilibrary.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
Paul A schreef op wo 22-01-2014 om 18:15 [-0500]:
me@hardy:/$ sudo apt-cache show libmarc-xml-perl Package: libmarc-xml-perl Version: 1.0.2-1koha1 Architecture: all Maintainer: Robin Sheat <robin@catalyst.net.nz> [snip] Package: libmarc-xml-perl Priority: optional Section: universe/perl Installed-Size: 108 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> Original-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Architecture: all Version: 0.92-1 [snip]
Version 1.0.2 is version 1.0.2. Version 0.92 is version 0.92. apt-cache show is showing you all the versions that it knows about. I'm not totally sure what your question is. For more information, refer to 'man apt-cache' which explains all about the output. For checking what is actually installed, you want apt-cache policy, e.g. $ apt-cache policy libmarc-xml-perl libmarc-xml-perl: Installed: 1.0.1-1~koha1 Candidate: 1.0.2-1koha1 Version table: 1.0.2-1koha1 0 500 http://debian.koha-community.org/koha/ squeeze/main amd64 Packages *** 1.0.1-1~koha1 0 100 /var/lib/dpkg/status 0.92-1 0 500 http://ubuntu.catalyst.net.nz/ubuntu/ precise/universe amd64 Packages The *** indicates that I have 1.0.1 installed, and the fact that it says that 1.0.2 is a candidate means that will be the one that gets installed when I next do an update. Again, this is all in the manpage. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF
At 12:31 PM 1/23/2014 +1300, Robin Sheat wrote: [snip]
For checking what is actually installed, you want apt-cache policy, e.g. [snip] The *** indicates that I have 1.0.1 installed,
libmarc-xml-perl: Installed: 1.0.2-1koha1 Candidate: 1.0.2-1koha1 Version table: *** 1.0.2-1koha1 0 500 http://debian.koha-community.org/koha/ squeeze/main amd64 Packages 100 /var/lib/dpkg/status 0.92-1 0 500 http://ca.archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages Robin -- many tnx. I had totally forgotten that I had set debian.koha-community.org as an update repository, and was assuming that the Ubuntu package (which announces 1.0.2) had not been updated. See <http://us.archive.ubuntu.com/ubuntu/ubuntu/pool/universe/libm/libmarc-xml-perl/> Best - Paul
Greetings, Paul A. asked Galen:
Could you please advise on 1.0.2 versus 0.92-1 -- the devil is always in the details.
You should have noted that Galen had previously given a URL: https://metacpan.org/release/GMCHARLT/MARC-XML-1.0.2 Click on the Other files link called Changes for a fuller listing. GPML, Mark Tompsett
At 06:32 PM 1/22/2014 -0500, Mark Tompsett wrote:
Greetings,
Paul A. asked Galen:
Could you please advise on 1.0.2 versus 0.92-1 -- the devil is always in the details.
You should have noted that Galen had previously given a URL: https://metacpan.org/release/GMCHARLT/MARC-XML-1.0.2 Click on the Other files link called Changes for a fuller listing.
Mark - thanks (and yes, I went there) -- but I *normally*, particularly for the production servers, try and use Ubuntu packages rather than CPAN. Best -- Paul
participants (4)
-
Galen Charlton -
Mark Tompsett -
Paul A -
Robin Sheat