Re: About the security issues affecting libconfig-model-perl in Wheezy

To: ola@inguza.com
Cc: debian-lts@lists.debian.org
Subject: Re: About the security issues affecting libconfig-model-perl in Wheezy
From: Dominique Dumont <dod@debian.org>
Date: Wed, 17 May 2017 14:34:31 +0200
Message-id: <[🔎] 7094690.KctY9isAOv@ylum>
Reply-to: dod@debian.org
In-reply-to: <[🔎] 20170516212610.GA4490@inguza.net>
References: <[🔎] 20170516212610.GA4490@inguza.net>

On Tuesday, 16 May 2017 23:26:10 CEST you wrote:
> The Debian LTS team recently reviewed the security issue(s) affecting your
> package in Wheezy:
> https://security-tracker.debian.org/tracker/CVE-2017-0373
> https://security-tracker.debian.org/tracker/CVE-2017-0374

Wheezy is not impacted by CVE-2017-0373. The problematic file did not exist 
back then.

Fixing CVE-2017-0374 on wheezy and jessie is moot because '.' is still 
included in @INC in the perl shipped with these releases.

Likewise, fixing CVE-2017-0373 is not really useful: there's not much point in 
removing 'lib' from @INC (due to the spurious "use lib;") if '.' is also in 
@INC.

All the best
-- 
 https://github.com/dod38fr/   -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/  -o-   irc: dod at irc.debian.org

Reply to:

Follow-Ups:
- Re: About the security issues affecting libconfig-model-perl in Wheezy
  - From: Ola Lundqvist <ola@inguza.com>

References:
- About the security issues affecting libconfig-model-perl in Wheezy
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: About the security issues affecting libconfig-model-perl in Wheezy
Next by Date: Wheezy update of lzo2?
Previous by thread: About the security issues affecting libconfig-model-perl in Wheezy
Next by thread: Re: About the security issues affecting libconfig-model-perl in Wheezy
Index(es):
- Date
- Thread