Date: Fri, 12 Aug 2016 11:47:27 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: Upgrade Perl5.2.20 (vulnerable) Message-ID: <028e220e-2015-8c95-d619-b5c871e294b6@infracaninophile.co.uk> In-Reply-To: <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org> References: <c8fb23fa-97f6-2e17-1d92-8b9e04ba1c72@cloudzeeland.nl> <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net> <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KV2Ql70OLhjn6tDvAX4IdUckN9L2QOhHm Content-Type: multipart/mixed; boundary="tp91Tvh9SaTF6atqrgEJx942TJgEQibAb" From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Message-ID: <028e220e-2015-8c95-d619-b5c871e294b6@infracaninophile.co.uk> Subject: Re: Upgrade Perl5.2.20 (vulnerable) References: <c8fb23fa-97f6-2e17-1d92-8b9e04ba1c72@cloudzeeland.nl> <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net> <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org> In-Reply-To: <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org> --tp91Tvh9SaTF6atqrgEJx942TJgEQibAb Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 08/12/16 10:07, Matthew Seaman wrote: > On 08/11/16 19:58, Dean E. Weimer wrote: >> On 2016-08-11 1:43 pm, JosC wrote: >>> Can someone tell me how to best upgrade from Perl5.20.x to the latest= >>> stable version? >>> >>> Tried to upgrade to Perl5.22 but got (also) the same issue while doin= g >>> so: >>> >>> >>> =3D=3D=3D> Cleaning for perl5-5.20.3_14 >>> =3D=3D=3D> perl5-5.20.3_14 has known vulnerabilities: >>> perl5-5.20.3_14 is vulnerable: >>> p5-XSLoader -- local arbitrary code execution >>> CVE: CVE-2016-6185 >>> WWW: >>> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b= 8.html >>> >>> >>> perl5-5.20.3_14 is vulnerable: >>> perl -- local arbitrary code execution >>> CVE: CVE-2016-1238 >>> WWW: >>> https://vuxml.FreeBSD.org/freebsd/72bfbb09-5a6a-11e6-a6c3-14dae9d210b= 8.html >>> >>> >>> 1 problem(s) in the installed packages found. >>> =3D> Please update your ports tree and try again. >>> =3D> Note: Vulnerable ports are marked as such even if there is no >>> update available. >>> =3D> If you wish to ignore this vulnerability rebuild with 'make >>> DISABLE_VULNERABILITIES=3Dyes' >>> *** Error code 1 >>> >>> Stop. >>> make[1]: stopped in /usr/ports/lang/perl5.20 >>> *** Error code 1 >>> >>> Stop. >>> make: stopped in /usr/ports/lang/perl5.20 >>> >>> --- cut --- >>> >>> >>> Thanks, >>> Jos Chrispijn >> >> Looks like they just updated all the perl ports to a release candidate= >> version to fix this, as in 20 to 30 minutes ago. >> >=20 > There seems to be a problem with the VuXML entry for p5-XSLoader, which= > also counts as a vulnerability against perl5, since XSLoader is a core > perl module. The version numbers are apparently a bit too inclusive, so= > the fixed versions recently committed to the ports are still flagged as= > vulnerable. >=20 > I just updated my desktop to the very latest and: >=20 > # pkg audit -F > [...] >=20 > perl5-5.22.3.r2 is vulnerable: > p5-XSLoader -- local arbitrary code execution > CVE: CVE-2016-6185 > WWW: > https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.= html >=20 > VuXML says this for p5-XSLoader: >=20 > <package> > <name>perl5</name> > <name>perl5.18</name> > <name>perl5.20</name> > <name>perl5.22</name> > <name>perl5.24</name> > <range><ge>5.18</ge><lt>5.18.99</lt></range> > <range><ge>5.20</ge><lt>5.20.99</lt></range> > <range><ge>5.22</ge><lt>5.22.3</lt></range> > <range><ge>5.24</ge><lt>5.24.1</lt></range> > </package> >=20 > which is incorrect. Compare to what VuXML says for the other > vulnerability the latest update fixed in perl5 itself: >=20 > <package> > <name>perl5</name> > <name>perl5.18</name> > <name>perl5.20</name> > <name>perl5.22</name> > <name>perl5.24</name> > <range><ge>5.18</ge><lt>5.18.4_23</lt></range> > <range><ge>5.20</ge><lt>5.20.3_14</lt></range> > <range><ge>5.22</ge><lt>5.22.3.r2</lt></range> > <range><ge>5.24</ge><lt>5.24.1.r2</lt></range> > </package> On closer inspection it seems that both vulnerabilities CVE-2016-6185 (XSLoader local arbitrary code execution) and CVE-2016-1238 (perl local arbitrary code execution) have been addressed in the updates to perl5.22 and perl5.24 (which are the two versions still under development by the upstream perl project -- we've updated to release candidate versions until their next formal release comes out.) However, for perl5.18 and perl5.20 which are no longer being updated by the upstream perl5 project, a different fix has been applied which only addresses CVE-2016-1238. perl5.20 is the current default version of perl in the ports tree. Cheers, Matthew --tp91Tvh9SaTF6atqrgEJx942TJgEQibAb-- --KV2Ql70OLhjn6tDvAX4IdUckN9L2QOhHm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXrak/AAoJEABRPxDgqeTnopoP/AzuDirOXDfq+FCFFFaNjW8A 0pO13OFryfkJtczc9KwW/x1aIBf9+fZONc62nxsw21BgFLzSVA73RRzqEpHIX2qM cfgyXvCJq9lwBFb7uUo17Zv0bBZN/8z4JJjau4PKrJIwCNhjs/q0mcai7rKMx8J6 2CCxGvhW7ZZ2NoZIyemj+tvwpawwyO52px+SPhcqIbG4Dpj0je7MClpoUIJUjfJT SCQtQg+I1boyfjnte3E+F5K13oRbL8haLGJW30mu98EI9fw5UAdGyf+IIrhu0Ybz XqtUVJcU2NTtpORYFelZ4TDTCWS5J84b9e2pdMGZYY3w5mrXv8hUari0hjP5MnNs iIkdLhlZzXEDlj54sbVmAhdpo08NJFze5m9S+Jfx8G72u6USpPC+9YWhawjusFdn VoQFI6XYKBqY695A1QVTCbCqJ72aNN9HUwklXqz2y/NVHk97cEBwRWyFVrrvGcQQ gy85AzShXZV/Fgt5vsxxSSzG6Q/umZgnFdKj27DMQB2BRkXG7IjuqkkZ1HskSNzf TEvqDr4cs5I4vHqUHndqPbXywuzLSSshbKf5Jw9AEIgv0a8VHFcLlrTBseXvBbRE LgMPhVl+XXIhRjoqE5QYVtUU+CfFeFNoXxc0n4rlRMcs0Ju/yx5kcthZsndsxudi 9MgWOUtRq7JJVdhjdyDA =sqsa -----END PGP SIGNATURE----- --KV2Ql70OLhjn6tDvAX4IdUckN9L2QOhHm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?028e220e-2015-8c95-d619-b5c871e294b6>