On Tue, Feb 13, 2007 at 07:51:26PM -0800, Steve Langasek wrote: > > 3.1.8 is a major bug-fix release, including the following issues: > > - bug 5318: set a maximum internal length for URIs > > - bug 5240: disable perl module usage in update channels unless > > --allowplugins is specified > this one in particular seems like a behavior change that shouldn't be > introduced into etch at this late stage of the freeze. FWIW, this is more or less a security fix. sa-update currently (without this change) will download rule updates blindly from a trusted rule provider, and this can include new plugins and thus new code. With this patch, rule providers will be unable to provide new plugins, but as far as I know this doesn't affect any known rule providers (certainly not the default spamassassin one), so it won't break anything. It's basically to prevent a huge disaster if a user uses a compromised or malicious rule provider. I would actually like to backport this change as well if possible. > > - bug 5056: remove Text::Wrap related code due to upstream issues > hmm, also sounds like a risky change during a freeze. This is a valid concern. > So yes, a backport of the security fix would be appreciated. Would you mind if I backported the fix to 5240 as well? (I'd provide a URL with more info, but it's currently classified as a security issue and restricted to the SA commiters.) -- Duncan Findlay
Attachment:
pgpu1FOuBRi3g.pgp
Description: PGP signature