Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote:
> * Adam D. Barratt:
>
> > I do share Florian's concern about the potential breakage as a result of
> > the change. Do we have any idea how many packages in {old,}stable would
> > be affected and to what degree? Particularly in the case of oldstable,
> > with its four month update cycle, fixing packages broken by the change
> > could be somewhat painful.
>
> Okay, then we should release a DSA for it, so that the breakage is
> more easily blamed on this particular change, and that it's less
> confusing if we have to issue follow-up DSAs. Perhaps late May or
> early June would be a convenient release date?
Wasn't the earlier consensus that this only affects Perl scripts, which
are already insecure?
Cheers,
Moritz
Reply to: