mirror of
https://github.com/Perl/perl5.git
synced 2026-01-26 08:38:23 +00:00
b135fd4a1c
Add a new perlsecpolicy POD file with detailed descriptions of the security team's vulnerability remediation workflow and the criteria used to distinguish security issues from other types of bugs. This also switches the team's public contact address to perl-security@perl.org, and updates the security contact information shown in github's issue interface.
84 lines
2.0 KiB
Plaintext
84 lines
2.0 KiB
Plaintext
=begin editor
|
|
|
|
Delete this begin/end block before publication.
|
|
|
|
Not every heading below is appropriate for every security issue, so
|
|
some may be deleted.
|
|
|
|
Look for FIXME to see what needs to be filled in.
|
|
|
|
=end editor
|
|
|
|
=encoding utf8
|
|
|
|
=head1 NAME
|
|
|
|
FIXME - short description of the security issue, with an identifier of the issue as the manpage name
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
=for editor
|
|
Ideally, FIXME here should be the CVE-ID as a link to cve.mitre.org
|
|
|
|
This document describes the
|
|
L<FIXME|http://cve.mitre.org/cgi-bin/cvename.cgi?name=FIXME>
|
|
security vulnerability for perl 5.
|
|
|
|
=head2 Are there any known exploits "in the wild" for this vulnerability
|
|
|
|
FIXME or delete
|
|
|
|
=head2 Who is particularly vulnerable because of this issue?
|
|
|
|
FIXME or delete
|
|
|
|
=head2 What is the nature of the vulnerability?
|
|
|
|
FIXME
|
|
|
|
=head2 What potential exploits are enabled by this vulnerability?
|
|
|
|
FIXME or delete
|
|
|
|
=head2 Which major versions of perl 5 are affected?
|
|
|
|
FIXME with a list of versions that are affected, and which were updated.
|
|
|
|
=head2 How can users protect themselves?
|
|
|
|
FIXME or use the following:
|
|
|
|
If you are vulnerable, upgrade to the latest maintenance release for the
|
|
version of perl you are using.
|
|
|
|
If your release of perl is no longer supported by the perl 5 committers you
|
|
may need to upgrade to a new major release of perl. The versions currently
|
|
supported by the perl 5 committers are
|
|
FIXME 5.28.2 (until 2020-05-31)
|
|
and
|
|
FIXME 5.30.1 (until 2021-05-31).
|
|
The current version of perl is available from https://www.perl.org/get.html .
|
|
|
|
=head2 Who was given access to the information about the vulnerability?
|
|
|
|
FIXME or use the following:
|
|
|
|
Specifics about the vulnerability were first disclosed to
|
|
C<perl-security>, a closed subscriber mailing list that has a
|
|
subset of the perl committers subcribed to it.
|
|
|
|
=head2 When was the vulnerability discovered?
|
|
|
|
FIXME
|
|
|
|
=head2 Who discovered the vulnerability?
|
|
|
|
FIXME
|
|
|
|
=head2 How was the vulnerability reported?
|
|
|
|
FIXME: something like "So-and-so sent email to
|
|
perl-security@perl.org"
|
|
|
|
=cut
|