From owner-freebsd-questions@freebsd.org Fri Aug 12 10:47:33 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6459BB74B8 for ; Fri, 12 Aug 2016 10:47:33 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 509F211EC for ; Fri, 12 Aug 2016 10:47:33 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 439FDC9C0 for ; Fri, 12 Aug 2016 10:47:28 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201601-infracaninophile; t=1470998848; bh=eOuFduNlZu+ygmW2GW0CRKsi45tmXQU2AY9g1jK3xwM=; h=Subject:To:References:From:Date:In-Reply-To; z=Subject:=20Re:=20Upgrade=20Perl5.2.20=20(vulnerable)|To:=20freebs d-questions@freebsd.org|References:=20=0D=0A=20<98acd0e6bcc55fb1140210c315c2e1 e5@dweimer.net>=0D=0A=20<8fbf7ee7-d94c-315d-9baf-56da27d5df9e@free bsd.org>|From:=20Matthew=20Seaman=20|Date:=20Fri,=2012=20Aug=202016=2011:47:27=20+0100|In-Reply-To: =20<8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org>; b=nhi42JYQJcH7itLn1ID8DamXisETW077vNuMS8e0j/6j+s2QxoH0F71JJl2eN/Ggd kEo68mGNFpZ42LN1RNjPNJQST8ydKTwQLhfqEcHh4MuLgI3P6CB8SvDR+0TKLFog/r ZyCs0sHfYy3FSwP8i178CSkvFfE/wVxKUTJatQ5A= Subject: Re: Upgrade Perl5.2.20 (vulnerable) To: freebsd-questions@freebsd.org References: <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net> <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org> From: Matthew Seaman Message-ID: <028e220e-2015-8c95-d619-b5c871e294b6@infracaninophile.co.uk> Date: Fri, 12 Aug 2016 11:47:27 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="KV2Ql70OLhjn6tDvAX4IdUckN9L2QOhHm" X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RDNS_NONE,SPF_FAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2016 10:47:33 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KV2Ql70OLhjn6tDvAX4IdUckN9L2QOhHm Content-Type: multipart/mixed; boundary="tp91Tvh9SaTF6atqrgEJx942TJgEQibAb" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: <028e220e-2015-8c95-d619-b5c871e294b6@infracaninophile.co.uk> Subject: Re: Upgrade Perl5.2.20 (vulnerable) References: <98acd0e6bcc55fb1140210c315c2e1e5@dweimer.net> <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org> In-Reply-To: <8fbf7ee7-d94c-315d-9baf-56da27d5df9e@freebsd.org> --tp91Tvh9SaTF6atqrgEJx942TJgEQibAb Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 08/12/16 10:07, Matthew Seaman wrote: > On 08/11/16 19:58, Dean E. Weimer wrote: >> On 2016-08-11 1:43 pm, JosC wrote: >>> Can someone tell me how to best upgrade from Perl5.20.x to the latest= >>> stable version? >>> >>> Tried to upgrade to Perl5.22 but got (also) the same issue while doin= g >>> so: >>> >>> >>> =3D=3D=3D> Cleaning for perl5-5.20.3_14 >>> =3D=3D=3D> perl5-5.20.3_14 has known vulnerabilities: >>> perl5-5.20.3_14 is vulnerable: >>> p5-XSLoader -- local arbitrary code execution >>> CVE: CVE-2016-6185 >>> WWW: >>> https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b= 8.html >>> >>> >>> perl5-5.20.3_14 is vulnerable: >>> perl -- local arbitrary code execution >>> CVE: CVE-2016-1238 >>> WWW: >>> https://vuxml.FreeBSD.org/freebsd/72bfbb09-5a6a-11e6-a6c3-14dae9d210b= 8.html >>> >>> >>> 1 problem(s) in the installed packages found. >>> =3D> Please update your ports tree and try again. >>> =3D> Note: Vulnerable ports are marked as such even if there is no >>> update available. >>> =3D> If you wish to ignore this vulnerability rebuild with 'make >>> DISABLE_VULNERABILITIES=3Dyes' >>> *** Error code 1 >>> >>> Stop. >>> make[1]: stopped in /usr/ports/lang/perl5.20 >>> *** Error code 1 >>> >>> Stop. >>> make: stopped in /usr/ports/lang/perl5.20 >>> >>> --- cut --- >>> >>> >>> Thanks, >>> Jos Chrispijn >> >> Looks like they just updated all the perl ports to a release candidate= >> version to fix this, as in 20 to 30 minutes ago. >> >=20 > There seems to be a problem with the VuXML entry for p5-XSLoader, which= > also counts as a vulnerability against perl5, since XSLoader is a core > perl module. The version numbers are apparently a bit too inclusive, so= > the fixed versions recently committed to the ports are still flagged as= > vulnerable. >=20 > I just updated my desktop to the very latest and: >=20 > # pkg audit -F > [...] >=20 > perl5-5.22.3.r2 is vulnerable: > p5-XSLoader -- local arbitrary code execution > CVE: CVE-2016-6185 > WWW: > https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.= html >=20 > VuXML says this for p5-XSLoader: >=20 > > perl5 > perl5.18 > perl5.20 > perl5.22 > perl5.24 > 5.185.18.99 > 5.205.20.99 > 5.225.22.3 > 5.245.24.1 > >=20 > which is incorrect. Compare to what VuXML says for the other > vulnerability the latest update fixed in perl5 itself: >=20 > > perl5 > perl5.18 > perl5.20 > perl5.22 > perl5.24 > 5.185.18.4_23 > 5.205.20.3_14 > 5.225.22.3.r2 > 5.245.24.1.r2 > On closer inspection it seems that both vulnerabilities CVE-2016-6185 (XSLoader local arbitrary code execution) and CVE-2016-1238 (perl local arbitrary code execution) have been addressed in the updates to perl5.22 and perl5.24 (which are the two versions still under development by the upstream perl project -- we've updated to release candidate versions until their next formal release comes out.) However, for perl5.18 and perl5.20 which are no longer being updated by the upstream perl5 project, a different fix has been applied which only addresses CVE-2016-1238. perl5.20 is the current default version of perl in the ports tree. Cheers, Matthew --tp91Tvh9SaTF6atqrgEJx942TJgEQibAb-- --KV2Ql70OLhjn6tDvAX4IdUckN9L2QOhHm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXrak/AAoJEABRPxDgqeTnopoP/AzuDirOXDfq+FCFFFaNjW8A 0pO13OFryfkJtczc9KwW/x1aIBf9+fZONc62nxsw21BgFLzSVA73RRzqEpHIX2qM cfgyXvCJq9lwBFb7uUo17Zv0bBZN/8z4JJjau4PKrJIwCNhjs/q0mcai7rKMx8J6 2CCxGvhW7ZZ2NoZIyemj+tvwpawwyO52px+SPhcqIbG4Dpj0je7MClpoUIJUjfJT SCQtQg+I1boyfjnte3E+F5K13oRbL8haLGJW30mu98EI9fw5UAdGyf+IIrhu0Ybz XqtUVJcU2NTtpORYFelZ4TDTCWS5J84b9e2pdMGZYY3w5mrXv8hUari0hjP5MnNs iIkdLhlZzXEDlj54sbVmAhdpo08NJFze5m9S+Jfx8G72u6USpPC+9YWhawjusFdn VoQFI6XYKBqY695A1QVTCbCqJ72aNN9HUwklXqz2y/NVHk97cEBwRWyFVrrvGcQQ gy85AzShXZV/Fgt5vsxxSSzG6Q/umZgnFdKj27DMQB2BRkXG7IjuqkkZ1HskSNzf TEvqDr4cs5I4vHqUHndqPbXywuzLSSshbKf5Jw9AEIgv0a8VHFcLlrTBseXvBbRE LgMPhVl+XXIhRjoqE5QYVtUU+CfFeFNoXxc0n4rlRMcs0Ju/yx5kcthZsndsxudi 9MgWOUtRq7JJVdhjdyDA =sqsa -----END PGP SIGNATURE----- --KV2Ql70OLhjn6tDvAX4IdUckN9L2QOhHm--