develooper Front page | perl.perl5.porters | Postings from January 2017

Update on Perl 5.24.1 and 5.22.3

Thread Next
Sawyer X
January 1, 2017 20:28
Update on Perl 5.24.1 and 5.22.3
Message ID:

I know everyone is waiting for an update on 5.24.1 and 5.22.3.


5.24.1 and 5.22.3 will come out with many fixes. 5.24.2 and 5.22.4 will
follow suit with the last fix.

Long story:

Since we discovered a security flaw[1], we wanted to include a solution
in 5.24.1 and 5.22.3.

We patched all core modules and applications, except for Due to
its subtle behavioral difference, it was not possible to patch it with
the same ease as other modules and applications. We decided on a
best-effort, which resulted in several situations in which we could not
differ between a legitimate usage of and a malicious one. The
decision was made to secure the possible vulnerabilities at the risk of
breaking a few legitimate use cases. This was not a simple decision and
many alternative options were raised, but fell short. Recently a more
feasible option was suggested and we decided to research it. This
approach will provide a far smaller set of false positives - a situation
with which we are much more comfortable.

The problem we're facing is that we have gone on far too long with no
release. We are at a point where numerous fixes have been made but not
released, since we are waiting for the last patch to fall into place. We
want to correct this.

The plan we have is to release 5.24.1 and 5.22.3 containing all the
fixes we have so far, but the same that shipped in the previous
dot releases. This will give users (both end-users, vendors, and
distributions) an option to upgrade to a safer, more stable version of
Perl 5. At the same time, this gives us more time to resolve the kinks
in the patch. We will be able to return to our normal release
cycle and continue to provide, rather than hold.

This isn't a step back. Instead, it is a step forward.

Until we reach 5.24.2 (and 5.22.4) we will continue to revise our most
recent attempt at patching[2][3]. If this approach fails us, we
will proceed with our more aggressive patch, taking into account
possible breakages, knowing we were not able to reduce them in a
satisfying manner. By 5.24.2 (and 5.22.4), will be patched as
well, and we will communicate the patch and any possible considerations
this may bring the clearest way we can.

Have a happy new year!

Sawyer X.

[1] CVE-2016-1238
[2] Available in branch "ap/baseincguard"
[3] If you wish to help, please review the branch and poke Aristotle

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About