Control: tag -1 pending Hello,
Bug #986135 in libnet-netmask-perl reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/perl-team/modules/packages/libnet-netmask-perl/-/commit/efcb377b2d680c8aa7b3c256271e46a3dec24e5e ------------------------------------------------------------------------ Add patch 0001-SECURITY-Prevent-ambiguous-networks-from-being-accid.patch. This patch, taken from upstream commit 9023b40, fixes a security issue with IP addresses containing leading zeros which are interpreted as octal numbers. This is CVE-2021-29424, for details cf. also https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/. >From upstram Changes for 2.0000: - SECURITY: IPv4 addresses with leading zeros are no longer allowed. They will return a parse error like any invalid IP address. - SECURITY: 10.0.0, 10.0, and 10 address portions now by default return a parse error. This can be overriden by calling new() like: Net::Netmask->new2('10/8', shortnet => 1); # or new() or Net::Netmask->new2('10', '8', shortnet => 1); # or new() There is also a package-level variable that can change the default when "shortnet" isn't used passed into the constructor. Usage: local $Net::Netmask::SHORTNET_DEFAULT = 1; Net::Netmask->new('10', '8'); # or new2() Closes: #986135 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/986135
