Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc
Dominic Hargreaves
dom at earth.li
Fri Apr 22 11:29:19 UTC 2011
On Wed, Apr 20, 2011 at 08:52:31AM +0300, Niko Tyni wrote:
> severity 622817 important
> thanks
>
> On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote:
> > * Niko Tyni:
> >
> > > Security team, I assume this is going to be fixed through a DSA?
> >
> > I don't think this is a security bug on its own.
>
> Yes, turns out upstream thinks similarly.
>
> http://nntp.perl.org/group/perl.perl5.porters/171010
>
> I'm therefore downgrading the severity.
>
> > If this bug fixes any actual vulnerabilities, such a backport will
> > break applications, hard. Therefore, I would prefer to let it soak in
> > unstable/testing for some time, to see what happens.
>
> OK, let's do that. Thanks and sorry for rushing things a bit.
Perhaps it would make sense to upload this fix to s-p-u and o-p-u
instead (after a suitable soak period). Release team, any thoughts?
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list