security alert foswiki 1.1.8

Greetings,

I am still getting a security list when I install Foswiki 1.1.8 for the MAKETEXT script although it your documentation says it is fixed in this version. Is this something I need to be worried about? Thank you.

Xochi Maes Valdez

-- XochiValdez - 09 May 2013

You are probably okay. We patched the calls to MAKETEXT so that any vulnerabilities shouldn't be exposed by Foswiki. We do recommend however installing 1.23 of the CPAN Module Locale::Maketext for the safest solution.

Note that Debian and possibly other distributions have patched Locale::Maketext without incrementing the version number, which causes us to detect the version as vulnerable even though it's been patched. We're not sure how to address this, if distributions "lie" to us about the installed versions of CPAN code.

-- GeorgeClark - 09 May 2013

I've tried two patches (extensions) to upgrade but each time the log says no matching files found. So the warning stays up and the version does not get changed.

-- XochiValdez - 09 May 2013

The module - Locale::Maketext. is not part of Foswiki, and we don't patch it. The warning in configure is telling you that the CPAN module, installed external to Foswiki, is not version 1.29. There is nothing you can do in Foswiki to eliminate the warning.

You can either ignore it, or chase down the version of Locale::Maketext installed in your system and try to get it updated. For example:

 perl  -e 'use Locale::Maketext; print $Locale::Maketext::VERSION'
1.23

-- GeorgeClark - 10 May 2013

Commenting is disabled while not logged in