[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: perl update for squeeze

On Mon, 2011-12-19 at 22:51 +0000, Dominic Hargreaves wrote:
> On Mon, Dec 19, 2011 at 12:58:35PM +0000, Adam D. Barratt wrote:
> > On 19.12.2011 11:30, Dominic Hargreaves wrote:
> > >The security team has asked that we fix a couple of no-dsa issues in
> > >the next squeeze point release. This bug
> > >(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604902) was also
> > >queued for a point release update.
[...]
> > The patch looks like it would be okay; thanks.  However, in order to
> > approve the upload for a point release, we'd need to see full
> > debdiffs for the proposed package which would be uploaded.
> 
> Current debdiff (without finalised changelog) attached.

Thanks.  Overall the diff looks fine, although the first two of these:

+  * [SECURITY] CVE-2011-2939: Fix decode_xs n-byte heap-overflow security
+    bug in Unicode.xs (Closes: #637376)
+  * [SECURITY] CVE-2011-3597: Fix unsafe use of eval in Digest->new();
+    thanks to Ansgar Burchardt for the notification (Closes: #644108)
+  * Unregister signal handler before destroying my_perl; fixes segfault
+    (Closes: #604902)

appear to no longer be marked as fixed in testing and unstable.  I'm
guessing this is purely an artefact of the archive + re-open but it
would be good if the BTS versioning could be fixed up to accurately
reflect the state of the bugs.

Regards,

Adam
Reply to: