From owner-freebsd-questions@freebsd.org  Fri Aug 12 09:07:35 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C9C0BB6CD2
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 12 Aug 2016 09:07:35 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [81.2.117.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id C53D01509
 for <freebsd-questions@freebsd.org>; Fri, 12 Aug 2016 09:07:34 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: m.seaman@infracaninophile.co.uk)
 by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 0D323C972
 for <freebsd-questions@freebsd.org>; Fri, 12 Aug 2016 09:07:24 +0000 (UTC)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=FreeBSD.org
Authentication-Results: smtp.infracaninophile.co.uk/0D323C972; dkim=none;
 dkim-atps=neutral
Subject: Re: Upgrade Perl5.2.20 (vulnerable)
To: freebsd-questions@freebsd.org
References: <c8fb23fa-97f6-2e17-1d92-8b9e04ba1c72@cloudzeeland.nl>
 <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net>
From: Matthew Seaman <matthew@FreeBSD.org>
Message-ID: <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org>
Date: Fri, 12 Aug 2016 10:07:16 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="7SxV9kUQmvv1cIPkbcEgQi4p4iWGJdBub"
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE,
 SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 smtp.infracaninophile.co.uk
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2016 09:07:35 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--7SxV9kUQmvv1cIPkbcEgQi4p4iWGJdBub
Content-Type: multipart/mixed; boundary="eohX0UfvdoLsmGSUbUPOWv5D50XcSbjJc"
From: Matthew Seaman <matthew@freebsd.org>
To: freebsd-questions@freebsd.org
Message-ID: <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org>
Subject: Re: Upgrade Perl5.2.20 (vulnerable)
References: <c8fb23fa-97f6-2e17-1d92-8b9e04ba1c72@cloudzeeland.nl>
 <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net>
In-Reply-To: <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net>

--eohX0UfvdoLsmGSUbUPOWv5D50XcSbjJc
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 08/11/16 19:58, Dean E. Weimer wrote:
> On 2016-08-11 1:43 pm, JosC wrote:
>> Can someone tell me how to best upgrade from Perl5.20.x to the latest
>> stable version?
>>
>> Tried to upgrade to Perl5.22 but got (also) the same issue while doing=

>> so:
>>
>>
>> =3D=3D=3D>  Cleaning for perl5-5.20.3_14
>> =3D=3D=3D>  perl5-5.20.3_14 has known vulnerabilities:
>> perl5-5.20.3_14 is vulnerable:
>> p5-XSLoader -- local arbitrary code execution
>> CVE: CVE-2016-6185
>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8=
=2Ehtml
>>
>>
>> perl5-5.20.3_14 is vulnerable:
>> perl -- local arbitrary code execution
>> CVE: CVE-2016-1238
>> WWW:
>> https://vuxml.FreeBSD.org/freebsd/72bfbb09-5a6a-11e6-a6c3-14dae9d210b8=
=2Ehtml
>>
>>
>> 1 problem(s) in the installed packages found.
>> =3D> Please update your ports tree and try again.
>> =3D> Note: Vulnerable ports are marked as such even if there is no
>> update available.
>> =3D> If you wish to ignore this vulnerability rebuild with 'make
>> DISABLE_VULNERABILITIES=3Dyes'
>> *** Error code 1
>>
>> Stop.
>> make[1]: stopped in /usr/ports/lang/perl5.20
>> *** Error code 1
>>
>> Stop.
>> make: stopped in /usr/ports/lang/perl5.20
>>
>> --- cut ---
>>
>>
>> Thanks,
>> Jos Chrispijn
>=20
> Looks like they just updated all the perl ports to a release candidate
> version to fix this, as in 20 to 30 minutes ago.
>=20

There seems to be a problem with the VuXML entry for p5-XSLoader, which
also counts as a vulnerability against perl5, since XSLoader is a core
perl module. The version numbers are apparently a bit too inclusive, so
the fixed versions recently committed to the ports are still flagged as
vulnerable.

I just updated my desktop to the very latest and:

# pkg audit -F
[...]

perl5-5.22.3.r2 is vulnerable:
p5-XSLoader -- local arbitrary code execution
CVE: CVE-2016-6185
WWW:
https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.ht=
ml

VuXML says this for p5-XSLoader:

      <package>
        <name>perl5</name>
        <name>perl5.18</name>
        <name>perl5.20</name>
        <name>perl5.22</name>
        <name>perl5.24</name>
        <range><ge>5.18</ge><lt>5.18.99</lt></range>
        <range><ge>5.20</ge><lt>5.20.99</lt></range>
        <range><ge>5.22</ge><lt>5.22.3</lt></range>
        <range><ge>5.24</ge><lt>5.24.1</lt></range>
      </package>

which is incorrect.  Compare to what VuXML says for the other
vulnerability the latest update fixed in perl5 itself:

      <package>
        <name>perl5</name>
        <name>perl5.18</name>
        <name>perl5.20</name>
        <name>perl5.22</name>
        <name>perl5.24</name>
        <range><ge>5.18</ge><lt>5.18.4_23</lt></range>
        <range><ge>5.20</ge><lt>5.20.3_14</lt></range>
        <range><ge>5.22</ge><lt>5.22.3.r2</lt></range>
        <range><ge>5.24</ge><lt>5.24.1.r2</lt></range>
      </package>

	Cheers,

	Matthew



--eohX0UfvdoLsmGSUbUPOWv5D50XcSbjJc--

--7SxV9kUQmvv1cIPkbcEgQi4p4iWGJdBub
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXrZHEAAoJEABRPxDgqeTnB8oP/1QwzkjAtlpZld8jEA5K2rPI
gIYIZNziA/q4rcz1Ct6zb+PqtjUEhoGB4M5LX3+bwqI5NEn003qOGmXamEvQM292
tkU3pD+oh1MxRRsExCZbvzI6CZ79KyoEr1jkrAPvmY/b1eoUDrD11RIXyFY0MNbC
04S4ck4RZDs86ydgcy712+YBvUo6CsVt8+CWWW4UBtr4pWQKDq4Ime540wN6gatX
vJL7kHPPgZXjvAisnJXCqrLfisfMkVcoJKvzlQfHb9Ql9XuyP8rcGVfsIzjOR2m3
1sWkMPeFV71G01oCR/mfqPcfW3Dr0IKGjG+SfHiYQUN1GaniByHgz4Z9J8X6gYAK
lOHX0Rzw5Sd4mXODZOq6dNk7OfNrBRl+KuzXAJw6U+Y5GyyrtANa2RthAT7BVsWf
u5NZWxWHvtVDg4Mmm4T770weP4LagBcvxvJBqCZs3XIBvh+b0177q6GwnUOV7SNf
WIv5GIPUYmg/j47EiWWxbf1GwkuXWzeQmE9kgz5hijS/fQls08/zUC6ZFJtDKBx1
U3xHbRKRLqvUTXyPQ+JcucYxf6bmBAZacAw/lrO+e2UoDVGgYjtjRyiOsBJzLDQJ
5M6/43//vahs6Udfea3KF5L0sCfC98+bIofj6pVNQATsG4Pd8qbxXFZqK0N+rMLd
7h4IS5LDLVVSM7Tsy0Qm
=qPh1
-----END PGP SIGNATURE-----

--7SxV9kUQmvv1cIPkbcEgQi4p4iWGJdBub--