develooper Front page | perl.perl5.porters | Postings from December 2012

Re: security notice: Locale::Maketext: CVE?

Thread Previous | Thread Next
From:
Dominic Hargreaves
Date:
December 9, 2012 00:12
Subject:
Re: security notice: Locale::Maketext: CVE?
Message ID:
20121209001214.GT4116@urchin.earth.li
On Wed, Dec 05, 2012 at 04:05:01PM -0500, Ricardo Signes wrote:
> * Dominic Hargreaves <dom@earth.li> [2012-12-05T13:51:19]
> > I wondered (and the question has arised within the Debian project) whether
> > anyone might be relying on the previous behaviour? Have you been able to do
> > any assessment of this?
> 
> It's difficult to say, unfortunately, because (I suppose) most projects that
> would use Locale::Maketext would not be CPAN projects, and so finding them is
> not trivial.
> 
> I did do some grepping of the CPAN and found zero cases.
> 
> It should be quite easy to add this behavior back as optional, if we find
> we've broken anything.
> 
> I'm sorry I can't be more concrete!

Thanks for this. Has a CVE been assigned to this vulnerability yet,
and if so, what's the best way to do so?

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About