develooper Front page | perl.perl5.porters | Postings from September 2012

Security Issues in perl-5.16.x

Thread Next
From:
Shlomi Fish
Date:
September 29, 2012 00:26
Subject:
Security Issues in perl-5.16.x
Message ID:
20120929092613.5adbb0ea@lap.shlomifish.org
Hi Reini,

On Fri, 28 Sep 2012 15:17:54 +0000
perl-compiler@googlecode.com wrote:

> Updates:
> 	Status: WontFix
> 
> Comment #1 on issue 107 by reini.urban: Build fails with
> perl-5.16.1-7.mga3
> http://code.google.com/p/perl-compiler/issues/detail?id=107
> 
> If you see the Changelog and the STATUS file, you'll see that 5.16
> and 5.17 is not yet supported with v1.42.
> 
> Use latest git please.
> 

Well, that's not a good solution for downstream packagers, and beside
that, the CPAN release should also work, because that's where people
look in general. See:

* http://www.linuxtoday.com/developer/2006052100726OPSWDV

But that's not why I contacted you about. See below.

> I would also strongy recommend not to use 5.16 at all, as it still
> has security issues with "binary safe" names being passed to e.g.
> require and stored now in names, which allow a lot of new security
> attack vectors. And 5.16.0 has a lot of known security holes.
> 

I've read about something like that in Perl Weekly as well, but can you be
more specific about the issues with perl-5.16.x? Also, I'm not using
perl-5.16.0 but rather perl-5.16.1.

Regards,

	Shlomi Fish

-- 
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
What Makes Software Apps High Quality -  http://shlom.in/sw-quality

Dax: yep, space. Nothing but nothing all around.
    — Star Trek, “We, the Living Dead” by Shlomi Fish

Please reply to list if it's a mailing list post - http://shlom.in/reply .

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About