Bug#631529: Missing fix for CVE-2010-1447

Moritz Mühlenhoff jmm at inutil.org
Mon Jun 27 17:01:24 UTC 2011


On Sun, Jun 26, 2011 at 08:49:12AM +0300, Niko Tyni wrote:
> On Sat, Jun 25, 2011 at 12:09:03PM +0100, Dominic Hargreaves wrote:
> > On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote:
> > > Package: perl
> > > Severity: grave
> > > Tags: security
> > > 
> > > Hi Perl maintainers,
> > > it turns out that CVE-2010-1447 is still missing in Lenny and
> > > Squeeze. It was originally attributed to Postgres, but it
> > > was later found out that Perl is affected as well.
> > > 
> > > The attached patch is still needed in both Lenny and Squeeze.
> > 
> > Thanks for pointing this out. I'll verify the patch and prepare packages;
> > do you want them uploaded to security-master ASAP?
> 
> Please note that this is probably going to break libpetal-perl and no
> fix is available. See #582805.

But this software must've already been broken with the initial Safe.pm fix for
Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)

Cheers,
        Moritz






More information about the Perl-maintainers mailing list