On Fri, Nov 14, 2008 at 11:59:22AM +0100, Gisle Aas wrote:
> On Nov 14, 2008, at 11:15 , Nicholas Clark wrote:
> >True. I considered this, but then we get back to a version with a CVE,
> >don't we?
>
> No. perl-5.8.8 shipped with File-Path-1.08 and the CVE-2008-2827 was
> introduced in the 2.xx series.
I believe we're back to code with CVE-2002-0435
> >I think I like the idea of reverting the detection code for now, and > >then> >repenting in leisure. Er, well, writing it properly in leisure.> >> >Am I right in thinking that if the detection code is reverted, the > >behaviour> >is no different (and hence no worse) than the behaviour of 5.8.8 ?> > Yes, it should be with that regard.But we re-add a CVE, so going backwards is not a good option either.
I would be most happy if File::Path 2.08 removed the check code, and
2.09 re-added it, patched and fixed, and 5.8.9 shipped with 2.08
That way, if there are still lingering bugs in the check code, they don't
afflict everyone who is forced to use core releases only, and banned from
upgrading from CPAN.
Nicholas Clark
Highlight