Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
On Fri, 2011-04-22 at 12:29 +0100, Dominic Hargreaves wrote:
> On Wed, Apr 20, 2011 at 08:52:31AM +0300, Niko Tyni wrote:
>
> > On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote:
> > http://nntp.perl.org/group/perl.perl5.porters/171010
> >
> > I'm therefore downgrading the severity.
> >
> > > If this bug fixes any actual vulnerabilities, such a backport will
> > > break applications, hard. Therefore, I would prefer to let it soak in
> > > unstable/testing for some time, to see what happens.
> >
> > OK, let's do that. Thanks and sorry for rushing things a bit.
>
> Perhaps it would make sense to upload this fix to s-p-u and o-p-u
> instead (after a suitable soak period). Release team, any thoughts?
If the security team aren't going to be issuing a DSA for it then we
could certainly look at a stable update.
I do share Florian's concern about the potential breakage as a result of
the change. Do we have any idea how many packages in {old,}stable would
be affected and to what degree? Particularly in the case of oldstable,
with its four month update cycle, fixing packages broken by the change
could be somewhat painful.
Regards,
Adam
Reply to: