[Git][security-tracker-team/security-tracker][master] dla: drop libstring-compare-constanttime-perl

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Fri Jun 20 08:12:26 BST 2025 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a7cea01e by Sylvain Beucler at 2025-06-20T09:12:17+02:00
dla: drop libstring-compare-constanttime-perl

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -27673,6 +27673,7 @@ CVE-2024-49563 (Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neu
 CVE-2024-13939 (String::Compare::ConstantTime for Perl through 0.321 is vulnerable to  ...)
 	- libstring-compare-constanttime-perl 0.321-3 (bug #1101502)
 	[bookworm] - libstring-compare-constanttime-perl <no-dsa> (Minor issue)
+	[bullseye] - libstring-compare-constanttime-perl <postponed> (Minor issue, no consensus, follow bookworm)
 	NOTE: https://lists.security.metacpan.org/cve-announce/msg/28284732/
 	NOTE: https://metacpan.org/release/FRACTAL/String-Compare-ConstantTime-0.321/view/lib/String/Compare/ConstantTime.pm#TIMING-SIDE-CHANNEL
 	NOTE: Disputed upstream:


=====================================
data/dla-needed.txt
=====================================
@@ -201,17 +201,6 @@ libsoup2.4
   NOTE: 20250520: seems sensible.  Or maybe someone else will have more luck
   NOTE: 20250520: than me with getting the backported tests to run.  (spwhitton)
 --
-libstring-compare-constanttime-perl
-  NOTE: 20250412: Added by Front-Desk (Beuc)
-  NOTE: 20250412: Upstream has been dormant, but there's a patch proposal from RedHat.
-  NOTE: 20250412: Coordinate with them?
-  NOTE: 20250412: Said patch just pushed to unstable, but in-depth testing / cross-review remains to be done AFAIK
-  NOTE: 20250412: Also, disputed upstream (Beuc/front-desk)
-  NOTE: 20250430: carnil: Please do not upload fixes for LTS yet for this. We have applied in unstable a not-yet
-  NOTE: 20250430: upstream acknowledged patch and do not necessarily want to go down to stable and older releases
-  NOTE: 20250430: with it. At least not until we have either decided to revert the patch landing in trixie or accept
-  NOTE: 20250430: it. Context in https://github.com/hoytech/String-Compare-ConstantTime/pull/21
---
 libxml2 (guilhem)
   NOTE: 20250613: Added by Front-Desk (rouca)
   NOTE: 20250613: get in sync with DSA/bookworm (rouca/FD)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7cea01eabb7b6daf7181508b4214d43ee14dab0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7cea01eabb7b6daf7181508b4214d43ee14dab0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250620/0434a7f7/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list