[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote:
> * Adam D. Barratt:
> > I do share Florian's concern about the potential breakage as a result of
> > the change.  Do we have any idea how many packages in {old,}stable would
> > be affected and to what degree?  Particularly in the case of oldstable,
> > with its four month update cycle, fixing packages broken by the change
> > could be somewhat painful.
> Okay, then we should release a DSA for it, so that the breakage is
> more easily blamed on this particular change, and that it's less
> confusing if we have to issue follow-up DSAs.  Perhaps late May or
> early June would be a convenient release date?

Wasn't the earlier consensus that this only affects Perl scripts, which
are already insecure?


Reply to: