[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Uploaded perl 5.003.07-11 (source i386) to master

On Thu, 7 May 1998, Martin Schulze wrote:

> On Thu, May 07, 1998 at 07:41:02AM +0200, Alexander Koch wrote:
> > On Thu, 7 May 1998 01:48:56 -0000, Christian Hudon wrote:
> > > Source: perl
> > > Binary: perl-suid perl-debug perl
> > > Version: 5.003.07-11
> > > Distribution: stable
> > > Urgency: high
>              ^^^^
> Changes: fixes security problem.

> > This is not a real upload, isn't it? Since 5.003.whatever is a bit ...
> > out-dated for years?
> It is a real upload.  It's a security fix for our stable release.
> Uploads into stable may only fix security problems and should not
> introduce new upstream releases.

But 5.003_07 is still quite vulnerable to a once widely-circulated buffer
overflow attack.  Only upgrading to 5.004_04 will fix that problem.[*] Now
whether users *want* to upgrade their stable systems to 5.004_04 is
another question, and it probably has different answers depending on
whether or not the users run suid scripts vulnerable to the buffer
overflow or whether they want the absolute stability of sticking with

    Andy Dougherty		doughera@lafcol.lafayette.edu
    Dept. of Physics
    Lafayette College, Easton PA 18042

[*] Well, I guess I could probably plug that one hole without touching
much else, if there's really enough need.  The resulting perl would still
have a few quite obscure buffer overflow possibilities, but nothing for
which I'm aware of any widely circulated automated attacks.

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: