Date: Fri, 12 Aug 2016 10:07:16 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Upgrade Perl5.2.20 (vulnerable) Message-ID: <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org> In-Reply-To: <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net> References: <c8fb23fa-97f6-2e17-1d92-8b9e04ba1c72@cloudzeeland.nl> <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --7SxV9kUQmvv1cIPkbcEgQi4p4iWGJdBub Content-Type: multipart/mixed; boundary="eohX0UfvdoLsmGSUbUPOWv5D50XcSbjJc" From: Matthew Seaman <matthew@freebsd.org> To: freebsd-questions@freebsd.org Message-ID: <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org> Subject: Re: Upgrade Perl5.2.20 (vulnerable) References: <c8fb23fa-97f6-2e17-1d92-8b9e04ba1c72@cloudzeeland.nl> <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net> In-Reply-To: <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net> --eohX0UfvdoLsmGSUbUPOWv5D50XcSbjJc Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 08/11/16 19:58, Dean E. Weimer wrote: > On 2016-08-11 1:43 pm, JosC wrote: >> Can someone tell me how to best upgrade from Perl5.20.x to the latest >> stable version? >> >> Tried to upgrade to Perl5.22 but got (also) the same issue while doing= >> so: >> >> >> =3D=3D=3D> Cleaning for perl5-5.20.3_14 >> =3D=3D=3D> perl5-5.20.3_14 has known vulnerabilities: >> perl5-5.20.3_14 is vulnerable: >> p5-XSLoader -- local arbitrary code execution >> CVE: CVE-2016-6185 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8= =2Ehtml >> >> >> perl5-5.20.3_14 is vulnerable: >> perl -- local arbitrary code execution >> CVE: CVE-2016-1238 >> WWW: >> https://vuxml.FreeBSD.org/freebsd/72bfbb09-5a6a-11e6-a6c3-14dae9d210b8= =2Ehtml >> >> >> 1 problem(s) in the installed packages found. >> =3D> Please update your ports tree and try again. >> =3D> Note: Vulnerable ports are marked as such even if there is no >> update available. >> =3D> If you wish to ignore this vulnerability rebuild with 'make >> DISABLE_VULNERABILITIES=3Dyes' >> *** Error code 1 >> >> Stop. >> make[1]: stopped in /usr/ports/lang/perl5.20 >> *** Error code 1 >> >> Stop. >> make: stopped in /usr/ports/lang/perl5.20 >> >> --- cut --- >> >> >> Thanks, >> Jos Chrispijn >=20 > Looks like they just updated all the perl ports to a release candidate > version to fix this, as in 20 to 30 minutes ago. >=20 There seems to be a problem with the VuXML entry for p5-XSLoader, which also counts as a vulnerability against perl5, since XSLoader is a core perl module. The version numbers are apparently a bit too inclusive, so the fixed versions recently committed to the ports are still flagged as vulnerable. I just updated my desktop to the very latest and: # pkg audit -F [...] perl5-5.22.3.r2 is vulnerable: p5-XSLoader -- local arbitrary code execution CVE: CVE-2016-6185 WWW: https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.ht= ml VuXML says this for p5-XSLoader: <package> <name>perl5</name> <name>perl5.18</name> <name>perl5.20</name> <name>perl5.22</name> <name>perl5.24</name> <range><ge>5.18</ge><lt>5.18.99</lt></range> <range><ge>5.20</ge><lt>5.20.99</lt></range> <range><ge>5.22</ge><lt>5.22.3</lt></range> <range><ge>5.24</ge><lt>5.24.1</lt></range> </package> which is incorrect. Compare to what VuXML says for the other vulnerability the latest update fixed in perl5 itself: <package> <name>perl5</name> <name>perl5.18</name> <name>perl5.20</name> <name>perl5.22</name> <name>perl5.24</name> <range><ge>5.18</ge><lt>5.18.4_23</lt></range> <range><ge>5.20</ge><lt>5.20.3_14</lt></range> <range><ge>5.22</ge><lt>5.22.3.r2</lt></range> <range><ge>5.24</ge><lt>5.24.1.r2</lt></range> </package> Cheers, Matthew --eohX0UfvdoLsmGSUbUPOWv5D50XcSbjJc-- --7SxV9kUQmvv1cIPkbcEgQi4p4iWGJdBub Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXrZHEAAoJEABRPxDgqeTnB8oP/1QwzkjAtlpZld8jEA5K2rPI gIYIZNziA/q4rcz1Ct6zb+PqtjUEhoGB4M5LX3+bwqI5NEn003qOGmXamEvQM292 tkU3pD+oh1MxRRsExCZbvzI6CZ79KyoEr1jkrAPvmY/b1eoUDrD11RIXyFY0MNbC 04S4ck4RZDs86ydgcy712+YBvUo6CsVt8+CWWW4UBtr4pWQKDq4Ime540wN6gatX vJL7kHPPgZXjvAisnJXCqrLfisfMkVcoJKvzlQfHb9Ql9XuyP8rcGVfsIzjOR2m3 1sWkMPeFV71G01oCR/mfqPcfW3Dr0IKGjG+SfHiYQUN1GaniByHgz4Z9J8X6gYAK lOHX0Rzw5Sd4mXODZOq6dNk7OfNrBRl+KuzXAJw6U+Y5GyyrtANa2RthAT7BVsWf u5NZWxWHvtVDg4Mmm4T770weP4LagBcvxvJBqCZs3XIBvh+b0177q6GwnUOV7SNf WIv5GIPUYmg/j47EiWWxbf1GwkuXWzeQmE9kgz5hijS/fQls08/zUC6ZFJtDKBx1 U3xHbRKRLqvUTXyPQ+JcucYxf6bmBAZacAw/lrO+e2UoDVGgYjtjRyiOsBJzLDQJ 5M6/43//vahs6Udfea3KF5L0sCfC98+bIofj6pVNQATsG4Pd8qbxXFZqK0N+rMLd 7h4IS5LDLVVSM7Tsy0Qm =qPh1 -----END PGP SIGNATURE----- --7SxV9kUQmvv1cIPkbcEgQi4p4iWGJdBub--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8fbf7ee7-d94c-315d-9baf-56da27d5df9e>