Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Dominic Hargreaves
dom at earth.li
Mon May 2 12:28:09 UTC 2011
On Sun, May 01, 2011 at 10:33:35PM +0200, Moritz Mühlenhoff wrote:
> On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote:
> > * Adam D. Barratt:
> >
> > > I do share Florian's concern about the potential breakage as a result of
> > > the change. Do we have any idea how many packages in {old,}stable would
> > > be affected and to what degree? Particularly in the case of oldstable,
> > > with its four month update cycle, fixing packages broken by the change
> > > could be somewhat painful.
> >
> > Okay, then we should release a DSA for it, so that the breakage is
> > more easily blamed on this particular change, and that it's less
> > confusing if we have to issue follow-up DSAs. Perhaps late May or
> > early June would be a convenient release date?
>
> Wasn't the earlier consensus that this only affects Perl scripts, which
> are already insecure?
I don't think we've seen any discussion of this; could you elaborate?
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list