The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Perl security hole (suid buffer overrun problem in 5.003)

On May 22, Alan Cox wrote
> 
> Can you let me know if you are vulnerable, if you are shipping a fixed
> 5.003 (patch below if you need to fix it) or 5.004 which isnt vulnerable.
> Target date for release is Friday.

The soon to be released Debian 1.3 (which includes a fixed perl 5.003_07)
and the current development tree (which includes perl 5.004) are not
vulnerable.

Debian 1.2 as shipped initially was vulnerable. But the fixed perl
5.003_07 was merged into the 1.2 stable tree as of 1.2.11, on the 22nd of
August 1997. So the current stable tree is not vulnerable either. 

People who installed a version of Debian prior to Debian 1.2.11 and haven't
been tracking the stable tree should upgrade their perl packages using the
stable tree at <ftp://ftp.debian.org/debian/dists/stable/>. If 
"dpkg --status perl-suid" reports a version less than 5.003.07-10, you need to
upgrade your perl packages. (Another solution is also available: 
"dpkg --remove perl-suid" will remove the offending setuid root perl binary.)

Thanks,

  Christian

Attachment: pgpJqVKFKajUe.pgp
Description: PGP signature