Update on Perl 5.24.1 and 5.22.3

Hi,

I know everyone is waiting for an update on 5.24.1 and 5.22.3.

TL:DR;

5.24.1 and 5.22.3 will come out with many fixes. 5.24.2 and 5.22.4 will
follow suit with the last fix.

Long story:

Since we discovered a security flaw[1], we wanted to include a solution
in 5.24.1 and 5.22.3.

We patched all core modules and applications, except for base.pm. Due to
its subtle behavioral difference, it was not possible to patch it with
the same ease as other modules and applications. We decided on a
best-effort, which resulted in several situations in which we could not
differ between a legitimate usage of base.pm and a malicious one. The
decision was made to secure the possible vulnerabilities at the risk of
breaking a few legitimate use cases. This was not a simple decision and
many alternative options were raised, but fell short. Recently a more
feasible option was suggested and we decided to research it. This
approach will provide a far smaller set of false positives - a situation
with which we are much more comfortable.

The problem we're facing is that we have gone on far too long with no
release. We are at a point where numerous fixes have been made but not
released, since we are waiting for the last patch to fall into place. We
want to correct this.

The plan we have is to release 5.24.1 and 5.22.3 containing all the
fixes we have so far, but the same base.pm that shipped in the previous
dot releases. This will give users (both end-users, vendors, and
distributions) an option to upgrade to a safer, more stable version of
Perl 5. At the same time, this gives us more time to resolve the kinks
in the base.pm patch. We will be able to return to our normal release
cycle and continue to provide, rather than hold.

This isn't a step back. Instead, it is a step forward.

Until we reach 5.24.2 (and 5.22.4) we will continue to revise our most
recent attempt at patching base.pm[2][3]. If this approach fails us, we
will proceed with our more aggressive patch, taking into account
possible breakages, knowing we were not able to reduce them in a
satisfying manner. By 5.24.2 (and 5.22.4), base.pm will be patched as
well, and we will communicate the patch and any possible considerations
this may bring the clearest way we can.

Have a happy new year!

Sawyer X.

[1] CVE-2016-1238
[2] Available in branch "ap/baseincguard"
[3] If you wish to help, please review the branch and poke Aristotle
Pagaltzis.

• Update on Perl 5.24.1 and 5.22.3 by Sawyer X
• Re: Update on Perl 5.24.1 and 5.22.3 by Shlomi Fish