[Catalyst] IMPORTANT SECURITY FIX: Catalyst-Authentication-Store-LDAP v1.013

Tomas Doran bobtfish at bobtfish.net
Fri Apr 26 20:00:36 GMT 2013


Catalyst-Authentication-Store-LDAP version 1.013 (only) contains a major security hole.

If you are using this module (at this version) then you MUST upgrade.

To see if you have a vulnerable version installed, run the following command:

perl -MCatalyst::Authentication::Store::LDAP\ 999
Catalyst::Authentication::Store::LDAP version 999 required--this is only version 1.014, <DATA> line 741.
BEGIN failed--compilation aborted, <DATA> line 741.

If the version number in the error message is <= 1.012, then you are NOT vulnerable
If the version number in the error message is = 1.013, then you are ARE vulnerable - you MUST upgrade.
If the version number in the error message is >= 1.014, then you are NOT vulnerable

If you are not using the LDAP store in any of your applications (but just have it installed), then you are not vulnerable, although I strongly recommend upgrading anyway in case you do start using this module at a later time.

The fixed version has only been uploaded in the last few mins. If you want to upgrade before this hits a mirror site near you, then you can install the tar ball directly by saying:

cpanm http://pause.perl.org/incoming/Catalyst-Authentication-Store-LDAP-1.014.tar.gz

Or, if you don't have cpanm installed, you can say: curl -L cpanmin.us | perl - -- http://pause.perl.org/incoming/Catalyst-Authentication-Store-LDAP-1.014.tar.gz or, of course, download the file manually and install with the usual perl Makefile.PL && make install


More information about the Catalyst mailing list