On Sun, Oct 02, 2011 at 11:44:39PM +0200, Ansgar Burchardt wrote:
> Package: perl
> Version: 5.10.0-19
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> the last upstream release of libdigest-perl (1.17) contains a fix for an
> unsafe use of eval: the argument to Digest->new($algo) was not checked
> properly allowing code injection (in case the value can be changed by
> the attacker).
>
> This also affects perl as the module is included in perl-base.
perl-modules from Squeeze also contains 1.16, just like libdigest-perl.
What's the purpose of this package, then?
Wouldn't it rather make sense to drop standalone packages for all
modules present in perl-modules?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
