develooper Front page | perl.perl5.porters | Postings from July 2016

Re: CVE-2016-1238: Important unsafe module load path flaw

Thread Previous | Thread Next
Andrew Fresh
July 25, 2016 22:12
Re: CVE-2016-1238: Important unsafe module load path flaw
Message ID:
On Mon, Jul 25, 2016 at 04:38:51PM -0500, John Lightsey wrote:
> On Mon, 2016-07-25 at 15:57 -0500, Craig A. Berry wrote:
> > I stumbled on the following message from someone struggling to adapt
> > the 5.22.x changes to what appears to be an older perl:
> > 
> > <>
> > 
> > If anyone has pointers to a patch or patches that work with 5.20.x or
> > earlier, it might be nice to share them even though we no longer
> > officially support those versions.  Debian appears to have patched
> > their 5.20.x release but I don't know where that source code lives.
> I'm attaching the backport patches cPanel is using for 5.14.4. We ended up
> skipping all of the version bump commits and just applied the code changes from
> patches 1,3,5 and 7 of this series.

I have a set of three patches for perl-5.20.3 here:

I started with the commits you mention, added some for the removed
scripts, s2p and find2perl, and then used this set of scripts to bump
versions and fix t/porting/customized.dat.  I

The scripts are fairly rough, just supposed to be a one-off.

I didn't find a good way to update Porting/Maintainers.PL so that I did
skip due to lack of time, but that didn't seem *too* important.
(If someone knows how to bump that other than manually, I'd love to know)

I'll be also doing 5.20.2 sometime this week, but that will probably
just get committed directly to CVS.  I expect to do the same, start with
the first patch and then run the script.

andrew -

The programmer's national anthem is 'AAAAAAAARRRRGHHHHH!!'.

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About