[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc



On Wed, Apr 20, 2011 at 08:52:31AM +0300, Niko Tyni wrote:
> severity 622817 important
> thanks
> 
> On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote:
> > * Niko Tyni:
> > 
> > > Security team, I assume this is going to be fixed through a DSA?
> > 
> > I don't think this is a security bug on its own.
> 
> Yes, turns out upstream thinks similarly.
> 
>  http://nntp.perl.org/group/perl.perl5.porters/171010
> 
> I'm therefore downgrading the severity.
> 
> > If this bug fixes any actual vulnerabilities, such a backport will
> > break applications, hard.  Therefore, I would prefer to let it soak in
> > unstable/testing for some time, to see what happens.
> 
> OK, let's do that. Thanks and sorry for rushing things a bit.

Perhaps it would make sense to upload this fix to s-p-u and o-p-u
instead (after a suitable soak period). Release team, any thoughts?

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)


Reply to: