On Mon, Jun 27, 2011 at 07:01:24PM +0200, Moritz Mühlenhoff wrote: > On Sun, Jun 26, 2011 at 08:49:12AM +0300, Niko Tyni wrote: > > On Sat, Jun 25, 2011 at 12:09:03PM +0100, Dominic Hargreaves wrote: > > > On Fri, Jun 24, 2011 at 06:56:40PM +0200, Moritz Muehlenhoff wrote: > > > > Package: perl > > > > Severity: grave > > > > Tags: security > > > > > > > > Hi Perl maintainers, > > > > it turns out that CVE-2010-1447 is still missing in Lenny and > > > > Squeeze. It was originally attributed to Postgres, but it > > > > was later found out that Perl is affected as well. > > > > > > > > The attached patch is still needed in both Lenny and Squeeze. > > > > > > Thanks for pointing this out. I'll verify the patch and prepare packages; > > > do you want them uploaded to security-master ASAP? > > > > Please note that this is probably going to break libpetal-perl and no > > fix is available. See #582805. > > But this software must've already been broken with the initial Safe.pm fix for > Lenny/Squeeze? (5.10.0-19lenny3 / CVE-2010-1168)
I don't think so, no. libpetal-perl builds okay for me on squeeze. The referenced bug mentions the change in 2.27: - Wrap coderefs returned by reval() and rdo() (the change we're applying in this bug). I think the opinion of the perl maintainers is that we shouldn't worry about that package too much, but I guess that's a call for the security team. squeeze packages fixing this bug are ready to upload; lenny packages need a little more work to get the tests passing again. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org