Control: tags -1 - security Control: found -1 4.46-1 On Tue, Jan 12, 2016 at 12:54:19PM +0000, Chris Boot wrote: > Control: tag -1 security > > On 12/01/16 12:28, Chris Boot wrote: > [snip] > > Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346 > > > > Dear Maintainer, > > > > With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our > > installation of TWiki (http://twiki.org/) no longer functions. This > > happens due to CGI::Session::Driver::file complaining about taint. > > I'm bringing this bug to the attention of the security team, as it has > only come to light since the Jessie DSA of Perl (DSA-3441-1), so it's a > stable security regression.
Indeed, this is unfortunate - confirmed that this is trivially reproducible. It is misleading to call this a security bug in itself, so I am removing that tag. I am happy to prepare an updated package with the patch in from the RT ticket, though it would be good to get some second opinions on the correctness of that patch. I guess that should be released as a DSA update, given (as you point out) it's a regression indirectly introduced by the DSA. Another alternative would be the jessie point release, which for which the freeze date is later this week. I'm puzzled about why this wasn't spotted as an issue for wheezy, which doesn't have the perl taint bug, and does suffer from this problem: we should fix that there too, probably in the next point release. Dominic.
