[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

On Sun, May 01, 2011 at 10:33:35PM +0200, Moritz Mühlenhoff wrote:
> On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote:
> > * Adam D. Barratt:
> > 
> > > I do share Florian's concern about the potential breakage as a result of
> > > the change.  Do we have any idea how many packages in {old,}stable would
> > > be affected and to what degree?  Particularly in the case of oldstable,
> > > with its four month update cycle, fixing packages broken by the change
> > > could be somewhat painful.
> > 
> > Okay, then we should release a DSA for it, so that the breakage is
> > more easily blamed on this particular change, and that it's less
> > confusing if we have to issue follow-up DSAs.  Perhaps late May or
> > early June would be a convenient release date?
> Wasn't the earlier consensus that this only affects Perl scripts, which
> are already insecure?

I don't think we've seen any discussion of this; could you elaborate?


Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Reply to: