Upgrade Perl5.2.20 (vulnerable)
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri Aug 12 10:47:33 UTC 2016
On 08/12/16 10:07, Matthew Seaman wrote:
> On 08/11/16 19:58, Dean E. Weimer wrote:
>> On 2016-08-11 1:43 pm, JosC wrote:
>>> Can someone tell me how to best upgrade from Perl5.20.x to the latest
>>> stable version?
>>>
>>> Tried to upgrade to Perl5.22 but got (also) the same issue while doing
>>> so:
>>>
>>>
>>> ===> Cleaning for perl5-5.20.3_14
>>> ===> perl5-5.20.3_14 has known vulnerabilities:
>>> perl5-5.20.3_14 is vulnerable:
>>> p5-XSLoader -- local arbitrary code execution
>>> CVE: CVE-2016-6185
>>> WWW:
>>> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html
>>>
>>>
>>> perl5-5.20.3_14 is vulnerable:
>>> perl -- local arbitrary code execution
>>> CVE: CVE-2016-1238
>>> WWW:
>>> https://vuxml.FreeBSD.org/freebsd/72bfbb09-5a6a-11e6-a6c3-14dae9d210b8.html
>>>
>>>
>>> 1 problem(s) in the installed packages found.
>>> => Please update your ports tree and try again.
>>> => Note: Vulnerable ports are marked as such even if there is no
>>> update available.
>>> => If you wish to ignore this vulnerability rebuild with 'make
>>> DISABLE_VULNERABILITIES=yes'
>>> *** Error code 1
>>>
>>> Stop.
>>> make[1]: stopped in /usr/ports/lang/perl5.20
>>> *** Error code 1
>>>
>>> Stop.
>>> make: stopped in /usr/ports/lang/perl5.20
>>>
>>> --- cut ---
>>>
>>>
>>> Thanks,
>>> Jos Chrispijn
>>
>> Looks like they just updated all the perl ports to a release candidate
>> version to fix this, as in 20 to 30 minutes ago.
>>
>
> There seems to be a problem with the VuXML entry for p5-XSLoader, which
> also counts as a vulnerability against perl5, since XSLoader is a core
> perl module. The version numbers are apparently a bit too inclusive, so
> the fixed versions recently committed to the ports are still flagged as
> vulnerable.
>
> I just updated my desktop to the very latest and:
>
> # pkg audit -F
> [...]
>
> perl5-5.22.3.r2 is vulnerable:
> p5-XSLoader -- local arbitrary code execution
> CVE: CVE-2016-6185
> WWW:
> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html
>
> VuXML says this for p5-XSLoader:
>
> <package>
> <name>perl5</name>
> <name>perl5.18</name>
> <name>perl5.20</name>
> <name>perl5.22</name>
> <name>perl5.24</name>
> <range><ge>5.18</ge><lt>5.18.99</lt></range>
> <range><ge>5.20</ge><lt>5.20.99</lt></range>
> <range><ge>5.22</ge><lt>5.22.3</lt></range>
> <range><ge>5.24</ge><lt>5.24.1</lt></range>
> </package>
>
> which is incorrect. Compare to what VuXML says for the other
> vulnerability the latest update fixed in perl5 itself:
>
> <package>
> <name>perl5</name>
> <name>perl5.18</name>
> <name>perl5.20</name>
> <name>perl5.22</name>
> <name>perl5.24</name>
> <range><ge>5.18</ge><lt>5.18.4_23</lt></range>
> <range><ge>5.20</ge><lt>5.20.3_14</lt></range>
> <range><ge>5.22</ge><lt>5.22.3.r2</lt></range>
> <range><ge>5.24</ge><lt>5.24.1.r2</lt></range>
> </package>
On closer inspection it seems that both vulnerabilities CVE-2016-6185
(XSLoader local arbitrary code execution) and CVE-2016-1238 (perl local
arbitrary code execution) have been addressed in the updates to
perl5.22 and perl5.24 (which are the two versions still under
development by the upstream perl project -- we've updated to release
candidate versions until their next formal release comes out.)
However, for perl5.18 and perl5.20 which are no longer being updated by
the upstream perl5 project, a different fix has been applied which only
addresses CVE-2016-1238. perl5.20 is the current default version of
perl in the ports tree.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160812/b93c490e/attachment.sig>
More information about the freebsd-questions
mailing list