SUSE · ikapelyukhin · Oct 9, 2018
diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
 NAME          = smt
-VERSION       = 2.0.34
+VERSION       = 2.0.35
 DESTDIR       = /
 PERL         ?= perl
 PERLMODDIR    = $(shell $(PERL) -MConfig -e 'print $$Config{installvendorlib};')

diff --git a/package/smt.changes b/package/smt.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Nov 14 08:12:13 UTC 2018 - [email protected]
+
+- version 2.0.35
+- Harden hostname check during sibling check by forcing double
+  reverse lookup (CVE-2018-12472) (bsc#1104076)
+
 -------------------------------------------------------------------
 Tue Aug 14 08:36:09 UTC 2018 - [email protected]
 

diff --git a/package/smt.spec b/package/smt.spec
@@ -20,7 +20,7 @@ Name:           smt
 BuildRequires:  apache2
 BuildRequires:  apache2-mod_perl
 BuildRequires:  swig
-Version:        2.0.34
+Version:        2.0.35
 Release:        0
 Requires:       createrepo
 Requires:       gpg2

diff --git a/www/perl-lib/SMT/RegistrationSharing.pm b/www/perl-lib/SMT/RegistrationSharing.pm
@@ -6,6 +6,7 @@ use warnings;
 use Apache2::Log;
 use Apache2::RequestRec ();
 use Apache2::ServerUtil ();
+use Apache2::Const -compile => qw(REMOTE_DOUBLE_REV);
 use DBI qw(:sql_types);
 use File::Slurp;
 use File::Temp;
@@ -534,7 +535,7 @@ sub _verifySenderAllowed
     my $r = shift;
 
     my $apache = Apache2::ServerUtil->server;
-    my $senderName = $r->connection()->get_remote_host();
+    my $senderName = $r->connection()->get_remote_host(Apache2::Const::REMOTE_DOUBLE_REV);
     my $senderIP = $r->connection()->remote_ip();
     my $msg = 'Received shared registration request from '
         . $senderName