Re: CVE-2016-1238: Important unsafe module load path flaw

On Mon, Jul 25, 2016 at 8:17 AM, Sawyer X <xsawyerx@gmail.com> wrote:
> Steve Hay just pushed fixes for CVE-2016-1238 to maint-5.22 and
> maint-5.24 for:
> https://rt.perl.org/Ticket/Display.html?id=127834
>
> Steve has also just released RCs for 5.22.3 and 5.24.1 carrying these fixes:
>
> http://nntp.perl.org/group/perl.perl5.porters/238269
> http://nntp.perl.org/group/perl.perl5.porters/238270

The Debian advisory is here for anyone interested:

<https://www.debian.org/security/2016/dsa-3628>

I stumbled on the following message from someone struggling to adapt
the 5.22.x changes to what appears to be an older perl:

<https://lists.gnu.org/archive/html/guix-devel/2016-07/msg01226.html>

If anyone has pointers to a patch or patches that work with 5.20.x or
earlier, it might be nice to share them even though we no longer
officially support those versions.  Debian appears to have patched
their 5.20.x release but I don't know where that source code lives.

• CVE-2016-1238: Important unsafe module load path flaw by Sawyer X
• Re: CVE-2016-1238: Important unsafe module load path flaw by Craig A. Berry
• Re: CVE-2016-1238: Important unsafe module load path flaw by Dominic Hargreaves
• Re: CVE-2016-1238: Important unsafe module load path flaw by John Lightsey
• Re: CVE-2016-1238: Important unsafe module load path flaw by Andrew Fresh
• Re: CVE-2016-1238: Important unsafe module load path flaw by Tony Cook
• Re: CVE-2016-1238: Important unsafe module load path flaw by Tony Cook
• Re: CVE-2016-1238: Important unsafe module load path flaw by Father Chrysostomos
• Re: CVE-2016-1238: Important unsafe module load path flaw by Sawyer X
• Re: CVE-2016-1238: Important unsafe module load path flaw by Father Chrysostomos