develooper Front page | perl.perl5.porters | Postings from September 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Shlomi Fish
Date:
September 29, 2012 09:21
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
20120929182058.3a9912da@lap.shlomifish.org
Hi Yves,

On Sat, 29 Sep 2012 16:26:25 +0200
demerphq <demerphq@gmail.com> wrote:

> On 29 September 2012 09:26, Shlomi Fish <shlomif@shlomifish.org>
> wrote:
> > Hi Reini,
> >
> > On Fri, 28 Sep 2012 15:17:54 +0000
> > perl-compiler@googlecode.com wrote:
> >
> >> Updates:
> >>       Status: WontFix
> >>
> >> Comment #1 on issue 107 by reini.urban: Build fails with
> >> perl-5.16.1-7.mga3
> >> http://code.google.com/p/perl-compiler/issues/detail?id=107
> >>
> >> If you see the Changelog and the STATUS file, you'll see that 5.16
> >> and 5.17 is not yet supported with v1.42.
> >>
> >> Use latest git please.
> >>
> >
> > Well, that's not a good solution for downstream packagers, and
> > beside that, the CPAN release should also work, because that's
> > where people look in general. See:
> >
> > * http://www.linuxtoday.com/developer/2006052100726OPSWDV
> >
> > But that's not why I contacted you about. See below.
> >
> >> I would also strongy recommend not to use 5.16 at all, as it still
> >> has security issues with "binary safe" names being passed to e.g.
> >> require and stored now in names, which allow a lot of new security
> >> attack vectors. And 5.16.0 has a lot of known security holes.
> >>
> >
> > I've read about something like that in Perl Weekly as well, but can
> > you be more specific about the issues with perl-5.16.x? Also, I'm
> > not using perl-5.16.0 but rather perl-5.16.1.
> 
> To date Reini has failed to substantiate this claim despite requests
> to do so.
> 

Thanks for the heads' up. I'll give the perl 5 developers the benefit of the
doubt. Reini, if you read this - the burden of proof is on you.

Regards,

	Shlomi Fish

-- 
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
Perl Humour - http://perl-begin.org/humour/

<rjbs> sub id { my $self = shift; $json_parser_for{ $self }
    ->decode($json_for{ $self })->{id} } # Inside‐out JSON‐notated objects

Please reply to list if it's a mailing list post - http://shlom.in/reply .

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About