Bug#833030:
Chris Travers
chris.travers at gmail.com
Mon Aug 1 14:45:37 UTC 2016
As a side note, I have started discussing this security problem, exploits,
and security measures on my blog. Please note that none of the module
changes prevent the most trivial exploits against, for example, prove and
you can't fix this in prove without breaking its basic guarantee. Simply
put, it is unsafe to run prove from any world-writeable directory with or
without your fixes.
One reason I have started discussing this from a full disclosure is that it
is clear to me that system administrators are in a better position than
package maintainers in preventing this problem at the moment. I have also
reported this breakage upstream to Perl since it looks like it is in rc's
too. Here is to hoping others don't have to go through what I did over the
weekend.
--
Best Wishes,
Chris Travers
Efficito: Hosted Accounting and ERP. Robust and Flexible. No vendor
lock-in.
http://www.efficito.com/learn_more
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20160801/142fdc35/attachment.html>
More information about the Perl-maintainers
mailing list