Re: [xsawyerx@gmail.com: CVE-2016-1238: Important unsafe module load path flaw]
On Thu, Oct 27, 2016 at 11:13:35PM +0200, gregor herrmann wrote:
> On Tue, 25 Oct 2016 16:18:51 +0100, Dominic Hargreaves wrote:
>
> > On Mon, Jul 25, 2016 at 09:46:46PM +0200, gregor herrmann wrote:
> > > On Mon, 25 Jul 2016 15:15:30 +0100, Dominic Hargreaves wrote:
> > > > Please could team members look at the patches I've applied in the
> > > > jessie-security branches of
> > > >
> > > > - libmodule-build-perl
> > > > - libmime-charset-perl
> > > > - libmime-encwords-perl
> > > > - libnet-dns-perl
> > > >
> > > > and apply a similar fix to sid and forwarding upstream?
> > >
> > > The former three are done by Salavatore (libmime*) and me (M::B).
> > > For libnet-dns-perl I tried to adjust the patch from jessie-security
> > > to sid but I'm not really sure if this is correct and/or sufficent
> > > (lot's of other 'require's, the same constants also defined in 2 test
> > > files ...).
> > > Maybe you could take a look at this patch/package?
> >
> > Apologies for the severe delay in responding to this. I also noticed
> > that this package was a bit gnarly when it came to fixing this issue
> > consistently.
> >
> > Given that '.' has now been removed from @INC by default in sid, I am
> > inclined not to worry too much about this one now.
>
> Ok, makes sense :)
> So I guess we can drop the (never uploaded) patch in git?
Yes, that sounds fine to me.
Thanks,
Dominic.
Reply to: