Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-06-17 Thread Niko Tyni
On Thu, Jun 16, 2011 at 10:11:09PM +0200, Florian Weimer wrote: Okay, then we should release a DSA for it, so that the breakage is more easily blamed on this particular change, and that it's less confusing if we have to issue follow-up DSAs. Perhaps late May or early June would be a

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-06-16 Thread Florian Weimer
* Dominic Hargreaves: Okay, then we should release a DSA for it, so that the breakage is more easily blamed on this particular change, and that it's less confusing if we have to issue follow-up DSAs. Perhaps late May or early June would be a convenient release date? Wasn't the earlier

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-05-02 Thread Dominic Hargreaves
On Sun, May 01, 2011 at 10:33:35PM +0200, Moritz Mühlenhoff wrote: On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote: * Adam D. Barratt: I do share Florian's concern about the potential breakage as a result of the change. Do we have any idea how many packages in

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-05-01 Thread Moritz Mühlenhoff
On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote: * Adam D. Barratt: I do share Florian's concern about the potential breakage as a result of the change. Do we have any idea how many packages in {old,}stable would be affected and to what degree? Particularly in the case of

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-04-30 Thread Florian Weimer
* Adam D. Barratt: I do share Florian's concern about the potential breakage as a result of the change. Do we have any idea how many packages in {old,}stable would be affected and to what degree? Particularly in the case of oldstable, with its four month update cycle, fixing packages broken

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-04-30 Thread Dominic Hargreaves
On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote: * Adam D. Barratt: I do share Florian's concern about the potential breakage as a result of the change. Do we have any idea how many packages in {old,}stable would be affected and to what degree? I don't think we have any

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-04-25 Thread Adam D. Barratt
On Fri, 2011-04-22 at 12:29 +0100, Dominic Hargreaves wrote: On Wed, Apr 20, 2011 at 08:52:31AM +0300, Niko Tyni wrote: On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote: http://nntp.perl.org/group/perl.perl5.porters/171010 I'm therefore downgrading the severity.

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-04-22 Thread Dominic Hargreaves
On Wed, Apr 20, 2011 at 08:52:31AM +0300, Niko Tyni wrote: severity 622817 important thanks On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote: * Niko Tyni: Security team, I assume this is going to be fixed through a DSA? I don't think this is a security bug on its