The unstoppable Perl release train?
The unstoppable Perl release train?
Posted Mar 2, 2012 14:40 UTC (Fri) by xdg (guest, #83285)In reply to: The unstoppable Perl release train? by autarch
Parent article: The unstoppable Perl release train?
autarch is correct that the security issue is present in all stable releases of Perl since Unicode support was added. There are no reported exploits. Programs that follow the Perl 5 Security guidelines and the Security Implications of Unicode guidelines are unlikely to be affected.
When the issue is addressed, it will be backported to all supported Perl 5 stable release series, per the Perl 5 Support Policy. The release schedule of Perl is irrelevant. Holding up the Perl 5.16 release wouldn't get the issue fixed any faster and would merely hold up the release of other bugs fixed in the Perl 5.15 development cycle.
Posted Mar 2, 2012 20:37 UTC (Fri)
by dlang (guest, #313)
[Link]
What is the bug? that's information that I haven't yet seen in this discussion.
Posted Mar 4, 2012 5:27 UTC (Sun)
by jmayer (guest, #595)
[Link] (1 responses)
Posted Mar 4, 2012 19:39 UTC (Sun)
by xdg (guest, #83285)
[Link]
If you're reading this as "the Unicode release", then the author has (probably unintentionally) misled you. Unicode itself is a moving target and Perl has continued to make significant stride to improve how it handle Unicode semantics in the last couple releases. See Unicode Overhaul from the 5.12 release notes and Unicode in the 5.14 release notes. Perl 5.16 continues with this trend of incremental improvements. As for how many people read the security-relevant sections of manpages, that's an issue for any language or tool. Most tools can be used insecurely, dynamic languages particularly so. I would hope that anyone writing or deploying code where security does matter would read relevant manpages.
The unstoppable Perl release train?
The unstoppable Perl release train?
The unstoppable Perl release train?