On Tue, May 25, 2010 at 10:53:56PM +0300, Niko Tyni wrote: > > CVE-2010-1974[0]: > > | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module > > | before 2.25 for Perl allow context-dependent attackers to inject and > > | execute arbitrary code via vectors related to "automagic methods." > > | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447. > > > The current version of perl in unstable has safe.pm 2.18, so that just > > needs to be updated to version 2.25. > > If this is indeed considered 'serious', we need targeted fixes for a > stable update as well. I'm rather concerned about possible regressions. > > I'm currently trying to come up with some test cases so that I could > understand the risks better. Help would be welcome. I wasn't particularly > well acquaintanced with Safe before this.
While I haven't had the time for this (and won't have before the next week), I think the right thing to do here is indeed to update the sid version to 2.25 (but not 2.27, which is a more intrusive change) as upstream clearly recommends that in http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html I'm still a bit worried about regressions, so I'm not going to do this in a separate urgency bumped upload, but rather include it with other accumulated bug fixes. I'm deliberately ignoring stable for the moment until I find the time to delve into this properly. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org