Upgrade Perl5.2.20 (vulnerable)
Matthew Seaman
matthew at FreeBSD.org
Fri Aug 12 09:07:35 UTC 2016
On 08/11/16 19:58, Dean E. Weimer wrote:
> On 2016-08-11 1:43 pm, JosC wrote:
>> Can someone tell me how to best upgrade from Perl5.20.x to the latest
>> stable version?
>>
>> Tried to upgrade to Perl5.22 but got (also) the same issue while doing
>> so:
>>
>>
>> ===> Cleaning for perl5-5.20.3_14
>> ===> perl5-5.20.3_14 has known vulnerabilities:
>> perl5-5.20.3_14 is vulnerable:
>> p5-XSLoader -- local arbitrary code execution
>> CVE: CVE-2016-6185
>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html
>>
>>
>> perl5-5.20.3_14 is vulnerable:
>> perl -- local arbitrary code execution
>> CVE: CVE-2016-1238
>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/72bfbb09-5a6a-11e6-a6c3-14dae9d210b8.html
>>
>>
>> 1 problem(s) in the installed packages found.
>> => Please update your ports tree and try again.
>> => Note: Vulnerable ports are marked as such even if there is no
>> update available.
>> => If you wish to ignore this vulnerability rebuild with 'make
>> DISABLE_VULNERABILITIES=yes'
>> *** Error code 1
>>
>> Stop.
>> make[1]: stopped in /usr/ports/lang/perl5.20
>> *** Error code 1
>>
>> Stop.
>> make: stopped in /usr/ports/lang/perl5.20
>>
>> --- cut ---
>>
>>
>> Thanks,
>> Jos Chrispijn
>
> Looks like they just updated all the perl ports to a release candidate
> version to fix this, as in 20 to 30 minutes ago.
>
There seems to be a problem with the VuXML entry for p5-XSLoader, which
also counts as a vulnerability against perl5, since XSLoader is a core
perl module. The version numbers are apparently a bit too inclusive, so
the fixed versions recently committed to the ports are still flagged as
vulnerable.
I just updated my desktop to the very latest and:
# pkg audit -F
[...]
perl5-5.22.3.r2 is vulnerable:
p5-XSLoader -- local arbitrary code execution
CVE: CVE-2016-6185
WWW:
https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html
VuXML says this for p5-XSLoader:
<package>
<name>perl5</name>
<name>perl5.18</name>
<name>perl5.20</name>
<name>perl5.22</name>
<name>perl5.24</name>
<range><ge>5.18</ge><lt>5.18.99</lt></range>
<range><ge>5.20</ge><lt>5.20.99</lt></range>
<range><ge>5.22</ge><lt>5.22.3</lt></range>
<range><ge>5.24</ge><lt>5.24.1</lt></range>
</package>
which is incorrect. Compare to what VuXML says for the other
vulnerability the latest update fixed in perl5 itself:
<package>
<name>perl5</name>
<name>perl5.18</name>
<name>perl5.20</name>
<name>perl5.22</name>
<name>perl5.24</name>
<range><ge>5.18</ge><lt>5.18.4_23</lt></range>
<range><ge>5.20</ge><lt>5.20.3_14</lt></range>
<range><ge>5.22</ge><lt>5.22.3.r2</lt></range>
<range><ge>5.24</ge><lt>5.24.1.r2</lt></range>
</package>
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160812/d2e893be/attachment.sig>
More information about the freebsd-questions
mailing list