Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-06-17 Thread Niko Tyni
On Thu, Jun 16, 2011 at 10:11:09PM +0200, Florian Weimer wrote: > >> > Okay, then we should release a DSA for it, so that the breakage is > >> > more easily blamed on this particular change, and that it's less > >> > confusing if we have to issue follow-up DSAs. Perhaps late May or > >> > early J

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-06-16 Thread Florian Weimer
* Dominic Hargreaves: >> > Okay, then we should release a DSA for it, so that the breakage is >> > more easily blamed on this particular change, and that it's less >> > confusing if we have to issue follow-up DSAs. Perhaps late May or >> > early June would be a convenient release date? >> >> Was

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-05-02 Thread Dominic Hargreaves
On Sun, May 01, 2011 at 10:33:35PM +0200, Moritz Mühlenhoff wrote: > On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote: > > * Adam D. Barratt: > > > > > I do share Florian's concern about the potential breakage as a result of > > > the change. Do we have any idea how many packages in

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-05-01 Thread Moritz Mühlenhoff
On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote: > * Adam D. Barratt: > > > I do share Florian's concern about the potential breakage as a result of > > the change. Do we have any idea how many packages in {old,}stable would > > be affected and to what degree? Particularly in the

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-04-30 Thread Dominic Hargreaves
On Sat, Apr 30, 2011 at 06:26:51PM +0200, Florian Weimer wrote: > * Adam D. Barratt: > > > I do share Florian's concern about the potential breakage as a result of > > the change. Do we have any idea how many packages in {old,}stable would > > be affected and to what degree? I don't think we hav

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-04-30 Thread Florian Weimer
* Adam D. Barratt: > I do share Florian's concern about the potential breakage as a result of > the change. Do we have any idea how many packages in {old,}stable would > be affected and to what degree? Particularly in the case of oldstable, > with its four month update cycle, fixing packages bro

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-04-25 Thread Adam D. Barratt
On Fri, 2011-04-22 at 12:29 +0100, Dominic Hargreaves wrote: > On Wed, Apr 20, 2011 at 08:52:31AM +0300, Niko Tyni wrote: > > > On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote: > > http://nntp.perl.org/group/perl.perl5.porters/171010 > > > > I'm therefore downgrading the severity

Re: Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

2011-04-22 Thread Dominic Hargreaves
On Wed, Apr 20, 2011 at 08:52:31AM +0300, Niko Tyni wrote: > severity 622817 important > thanks > > On Tue, Apr 19, 2011 at 04:18:36PM +0200, Florian Weimer wrote: > > * Niko Tyni: > > > > > Security team, I assume this is going to be fixed through a DSA? > > > > I don't think this is a security