develooper Front page | perl.perl5.porters | Postings from September 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
demerphq
Date:
September 29, 2012 07:26
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
CANgJU+UAVDB4AeNGko+eTy_n0_j20V=nZojp4ZzqYhJY6G1Nkg@mail.gmail.com
On 29 September 2012 09:26, Shlomi Fish <shlomif@shlomifish.org> wrote:
> Hi Reini,
>
> On Fri, 28 Sep 2012 15:17:54 +0000
> perl-compiler@googlecode.com wrote:
>
>> Updates:
>>       Status: WontFix
>>
>> Comment #1 on issue 107 by reini.urban: Build fails with
>> perl-5.16.1-7.mga3
>> http://code.google.com/p/perl-compiler/issues/detail?id=107
>>
>> If you see the Changelog and the STATUS file, you'll see that 5.16
>> and 5.17 is not yet supported with v1.42.
>>
>> Use latest git please.
>>
>
> Well, that's not a good solution for downstream packagers, and beside
> that, the CPAN release should also work, because that's where people
> look in general. See:
>
> * http://www.linuxtoday.com/developer/2006052100726OPSWDV
>
> But that's not why I contacted you about. See below.
>
>> I would also strongy recommend not to use 5.16 at all, as it still
>> has security issues with "binary safe" names being passed to e.g.
>> require and stored now in names, which allow a lot of new security
>> attack vectors. And 5.16.0 has a lot of known security holes.
>>
>
> I've read about something like that in Perl Weekly as well, but can you be
> more specific about the issues with perl-5.16.x? Also, I'm not using
> perl-5.16.0 but rather perl-5.16.1.

To date Reini has failed to substantiate this claim despite requests to do so.

Yves

-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About