Re: [xsawyerx@gmail.com: CVE-2016-1238: Important unsafe module load path flaw]
On Mon, Jul 25, 2016 at 09:46:46PM +0200, gregor herrmann wrote:
> On Mon, 25 Jul 2016 15:15:30 +0100, Dominic Hargreaves wrote:
>
> > Please could team members look at the patches I've applied in the
> > jessie-security branches of
> >
> > - libmodule-build-perl
> > - libmime-charset-perl
> > - libmime-encwords-perl
> > - libnet-dns-perl
> >
> > and apply a similar fix to sid and forwarding upstream?
>
> The former three are done by Salavatore (libmime*) and me (M::B).
> For libnet-dns-perl I tried to adjust the patch from jessie-security
> to sid but I'm not really sure if this is correct and/or sufficent
> (lot's of other 'require's, the same constants also defined in 2 test
> files ...).
>
> Maybe you could take a look at this patch/package?
Hi gregor,
Apologies for the severe delay in responding to this. I also noticed
that this package was a bit gnarly when it came to fixing this issue
consistently.
Given that '.' has now been removed from @INC by default in sid, I am
inclined not to worry too much about this one now.
Cheers,
Dominic.
Reply to: