develooper Front page | perl.perl5.porters | Postings from July 2012

the "require" branch, maintperl, and security

Thread Next
From:
Ricardo Signes
Date:
July 24, 2012 07:32
Subject:
the "require" branch, maintperl, and security
Message ID:
20120724143232.GA17092@cancer.codesimply.com

Finally, 5.16.1 is unblocked.  I can't tell you how relieved I am.

In the course of investigating some unrelated and spurious reports, we
discovered a surprising little bug.  In short, C< require ::foo > acted like C<
require "/foo.pm" > instead of searching only in @INC.

The perl5 security team looked through this and a number of attached problems
to try to determine whether this represented a vulnerability in perl, and we
have determined that it does *not*.  Still, we have already informed the
security teams of downstream vendors of perl and given them time to object to
proceeding with fixes for this as "business as usual."  None objected.

The smoke-me/require branch contains a fix for this bug, and will land on blead
shortly assuming further testing finds no problems.  It will then be backported
to maint-5.16, which will be tested and released as usual.  Once that's done,
I'll move on to maint-5.14.  A maint-5.12 is also likely after that.  With that
done, I hope to spend a little time lying atop a warm rock.

Thanks for your patience during this unexpected and unexplained delay of
maint-5.16.  I think no one is more pleased than I to have things moving once
again.

-- 
rjbs

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About