Re: perl update for squeeze
On Mon, 2011-12-19 at 22:51 +0000, Dominic Hargreaves wrote:
> On Mon, Dec 19, 2011 at 12:58:35PM +0000, Adam D. Barratt wrote:
> > On 19.12.2011 11:30, Dominic Hargreaves wrote:
> > >The security team has asked that we fix a couple of no-dsa issues in
> > >the next squeeze point release. This bug
> > >(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604902) was also
> > >queued for a point release update.
> > The patch looks like it would be okay; thanks. However, in order to
> > approve the upload for a point release, we'd need to see full
> > debdiffs for the proposed package which would be uploaded.
> Current debdiff (without finalised changelog) attached.
Thanks. Overall the diff looks fine, although the first two of these:
+ * [SECURITY] CVE-2011-2939: Fix decode_xs n-byte heap-overflow security
+ bug in Unicode.xs (Closes: #637376)
+ * [SECURITY] CVE-2011-3597: Fix unsafe use of eval in Digest->new();
+ thanks to Ansgar Burchardt for the notification (Closes: #644108)
+ * Unregister signal handler before destroying my_perl; fixes segfault
+ (Closes: #604902)
appear to no longer be marked as fixed in testing and unstable. I'm
guessing this is purely an artefact of the archive + re-open but it
would be good if the BTS versioning could be fixed up to accurately
reflect the state of the bugs.