CVE-2013-1667: important rehashing flaw
nick at ccl4.org
Wed Mar 13 13:22:25 GMT 2013
On Wed, Mar 13, 2013 at 11:52:59AM +0000, Dave Mitchell wrote:
> On Wed, Mar 13, 2013 at 09:50:56AM +0000, Chisel wrote:
> > I've just stumbled across http://www.cpan.org/src/README.html which says:
> > Latest releases in each branch of Perl
> > Major Version Type Released Download
> > 5.14 5.14.4 Devel 2013-03-07 perl-5.14.4-RC2.tar.gz
> > 5.16 5.16.3 Maint 2013-03-11 perl-5.16.3.tar.gz
> > 5.14 5.14.4 Maint 2013-03-10 perl-5.14.4.tar.gz
> > To me it looks odd having the RC2 there ... should that be dropped
> > until there is (another) release candidate?
> Presumably its counting 5.14.4-RC2 as the most recent development release,
> and when 5.17.10 is released this will be updated?
If that is the case, it would still be good to fix/change it. As I suspect
that this situation will occur again, and what it presents to the end user
is not the right answer.
RCs are immediately obsolete if there is a real release.
(or a newer RC)
And therefore should no longer be mentioned.
(ie a more "correct" algorithm would be to discard all obsolete releases,
and then show the most recent non-obsolete development release.
However, at the point that 5.18.0 is released, there will be a few days for
which there is *no* current development release, as 5.18.0 will obsolete
More information about the london.pm