On Mon, Jan 31, 2005 at 04:42:59PM +0100, Rafael Garcia-Suarez wrote: > KF (lists) wrote: > > Much thanks on the quick response and fix. > > Attached are the PoC for each condition incase you were wondering how > > exploitable this *was*. > > > > Do you have any idea what the span of this bug is (like what versions > > are affected)? > > I'd say every release since we have PerlIO, e.g. every 5.8.x for x in > 0..6. > > > Will there be a new release or perl announcement about > > this bug(s)? > > That's to be appreciated by the maint pumpking.
Who was already planning to start the 5.8.7 release process at the end of February. It's proved tricky in the past to make full releases "rapidly" without fear of introducing new bugs and making things worse. > Vendors are of course encouraged to grab those patches. This seems to be the best way. We probably should wrap up all 3 patches into one single "this is what you need" patch. Historically, I'm not sure if there is a precedent on where anything like this has been announced. Have patches, or the URLs of patches previously been sent as replies to messages detailing exploits on lists such as bugtraq? > A new package of perl for mandrakelinux is already on its way to the > mirrors, and an security advisory accordingly on BugTraq. Nicholas Clark
