Perl upgrade - 5.20.x vulnerable

Kubilay Kocak koobs at FreeBSD.org
Tue Aug 16 09:07:35 UTC 2016 

On 16/08/2016 6:55 PM, JosC wrote:
> Still get this port upgrade error:
> 
> --- cut text ---
> 
> ===>>> All >> perl5-5.20.3_14 (1/1)
> ===>  Cleaning for perl5-5.20.3_15
> ===>  perl5-5.20.3_15 has known vulnerabilities:
> perl5-5.20.3_15 is vulnerable:
> p5-XSLoader -- local arbitrary code execution
> CVE: CVE-2016-6185
> WWW:
> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html
> 
> 1 problem(s) in the installed packages found.
> => Please update your ports tree and try again.
> => Note: Vulnerable ports are marked as such even if there is no update
> available.
> => If you wish to ignore this vulnerability rebuild with 'make
> DISABLE_VULNERABILITIES=yes'
> *** Error code 1
> 
> Stop.
> make[1]: stopped in /usr/ports/lang/perl5.20
> *** Error code 1
> Stop.
> make: stopped in /usr/ports/lang/perl5.20
> 
> ===>>> make build failed for lang/perl5.20
> ===>>> Aborting update
> 
> ===>>> Update for lang/perl5.20 failed
> ===>>> Aborting update
> 
> ===>>> You can restart from the point of failure with this command line:
>        portmaster <flags> lang/perl5.20
> 
> --- cut text ---
> 
> Can only solve by deinstalling the port and reinstall with
> 
> 'DISABLE_VULNERABILITIES=yes'
> 
> Perhaps I miss something, but what is exactly the issue? I just try to
> understand how I can solve this...
> 
> Thanks,
> Jos
> 
> In een bericht van 11-8-2016 20:45:
>> Can someone tell me how to best upgrade from Perl5.20.x to the latest
>> stable version?
>>
>> Tried to upgrade to Perl5.22 but got (also) the same issue while doing
>> so:
>>
>>
>> ===>  Cleaning for perl5-5.20.3_14
>> ===>  perl5-5.20.3_14 has known vulnerabilities:
>> perl5-5.20.3_14 is vulnerable:
>> p5-XSLoader -- local arbitrary code execution
>> CVE: CVE-2016-6185
>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html
>>
>>
>> perl5-5.20.3_14 is vulnerable:
>> perl -- local arbitrary code execution
>> CVE: CVE-2016-1238
>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/72bfbb09-5a6a-11e6-a6c3-14dae9d210b8.html
>>
>>
>> 1 problem(s) in the installed packages found.
>> => Please update your ports tree and try again.
>> => Note: Vulnerable ports are marked as such even if there is no update
>> available.
>> => If you wish to ignore this vulnerability rebuild with 'make
>> DISABLE_VULNERABILITIES=yes'
>> *** Error code 1
>>
>> Stop.
>> make[1]: stopped in /usr/ports/lang/perl5.20
>> *** Error code 1
>>
>> Stop.
>> make: stopped in /usr/ports/lang/perl5.20
>>
>> --- cut ---
> 
> 
> 

Try running pkg audit -F to force updating/refreshing the latest VuXML
changes.

In this case the lang/perl5.20 (port) version string that the fix was
made in [1], was only added to an existing entry in security/vuxml as an
'update' yesterday [2]

[1] http://svnweb.freebsd.org/changeset/ports/420220
[2] http://svnweb.freebsd.org/changeset/ports/420219

In the absence of running 'pkg audit -F', only
the"LOCALBASE/periodic/security/410.pkg-audit script updates the vuxml
file and audit results. Until that happens, or pkg audit -F is run, pkg
will still see an older version.

Let us know how it goes

./koobs

More information about the freebsd-ports mailing list