On Thu, Jun 16, 2011 at 10:11:09PM +0200, Florian Weimer wrote: > >> > Okay, then we should release a DSA for it, so that the breakage is > >> > more easily blamed on this particular change, and that it's less > >> > confusing if we have to issue follow-up DSAs. Perhaps late May or > >> > early June would be a convenient release date?
> Anyway, we should probably push the fix to lenny and squeeze at this > point. (See above for part of my rationale for that.) Fine by me. > I can grab > 0002-CVE-2011-1487-lc-uc-first-fail-to-taint-the-returned.patch and > apply it to squeeze & lenny if you want me to. I'm short on time and I believe Dominic is also, so I'd be glad if you could handle this. FWIW, I already prepared full debdiffs for lenny and squeeze earlier, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622817#32 Feel free to use those if you like, modified or unmodified. > Are there any other pending changes I should pick up? I don't think so. We have two other CVE issues open: #628836 perl-debug: CVE-2010-4777 perl: assertion failure with certain regular expressions applies to perl-debug only, not fixed in unstable yet #628817 perl NULL pointer dereference CVE-2011-0761 (at least symptoms) fixed in unstable by a newer upstream version These are low to medium severity bugs, and neither currently has a clearly correct patch available for 5.10.x, so I don't think they are candidates at this time. #629363 perl consumes all the memory on: open FILE, '<', \*STDIN or die; <FILE>; is a recent candidate for a stable update but it's not even fixed in unstable yet so we'll have to leave it for later too. Thanks for looking at this, -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
