Adding debian-release as CC. On Wed, Jan 16, 2013 at 07:33:19AM +0100, Salvatore Bonaccorso wrote: > Hi Dominic > > On Tue, Jan 15, 2013 at 11:26:09PM +0000, Dominic Hargreaves wrote: > > On Mon, Jan 14, 2013 at 09:46:55PM +0100, Salvatore Bonaccorso wrote: > > > Upload of Digest::SHA 5.81 mentions the following: > > > > > > 5.81 Mon Jan 14 05:17:08 MST 2013 > > > - corrected load subroutine (SHA.pm) to prevent double-free > > > -- Bug #82655: Security issue - segfault > > > -- thanks to Victor Efimov and Nicholas Clark > > > for technical expertise and suggestions > > > > > > Upstream bugreport is [1] and it was also sent to > > > perl5-security-rep...@perl.org list. > > > > > > [1]: https://rt.cpan.org/Ticket/Display.html?id=82655 > > > > The view so far appears to be that this is not exploitable: > > > > http://seclists.org/oss-sec/2013/q1/88 > > Yes I have seen. I think at this stage we can remove the security tag > for #698174 (and #698172).
At this stage I'm not planning to push this for inclusion in wheezy; since it doesn't meet <http://release.debian.org/wheezy/freeze_policy.html> but let me know if anyone thinks differently. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
