UbuntuUpdates.org

Package "perl-base"

Name: perl-base

Description:

minimal Perl system

Latest version: 5.26.1-6ubuntu0.7
Release: bionic (18.04)
Level: security
Repository: main
Head package: perl
Homepage: http://dev.perl.org/perl5/

Links


Download "perl-base"


Other versions of "perl-base" in Bionic

Repository Area Version
base main 5.26.1-6
updates main 5.26.1-6ubuntu0.7

Changelog

Version: 5.26.1-6ubuntu0.7 2023-05-29 19:06:57 UTC

  perl (5.26.1-6ubuntu0.7) bionic-security; urgency=medium

  * SECURITY UPDATE: insecure default TLS configuration in HTTP::Tiny module
    - debian/patches/CVE-2023-31484.patch: add verify_SSL=>1 to HTTP::Tiny to
      verify https server identity.
    - CVE-2023-31484

 -- Camila Camargo de Matos <email address hidden> Tue, 23 May 2023 14:17:19 -0300

Source diff to previous version
CVE-2023-31484 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Version: 5.26.1-6ubuntu0.6 2022-10-19 14:06:22 UTC

  perl (5.26.1-6ubuntu0.6) bionic-security; urgency=medium

  * SECURITY UPDATE: Signature verification bypass
    - debian/patches/CVE-2020-16156-1.patch: signature
      verification type CANNOT_VERIFY was not recognized
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debia/patches/CVE-2020-16156-2.patch: add two new failure modes
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-3.patch: use gpg
      to disentangle data and signature in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-4.patch: replacing die with mydie in
      three spots in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-5.patch: disambiguate the call
      to gpg --output by adding --verify in
      cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-6.patch: corrects typo
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-7.patch: corrects typo
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - CVE-2020-16156

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 05 Oct 2022 07:49:22 -0300

Source diff to previous version
CVE-2020-16156 CPAN 2.28 allows Signature Verification Bypass.

Version: 5.26.1-6ubuntu0.5 2020-10-26 12:06:50 UTC

  perl (5.26.1-6ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: heap buffer overflow in regex compiler
    - debian/patches/fixes/CVE-2020-10543.patch: prevent integer overflow
      from nested regex quantifiers in regcomp.c.
    - CVE-2020-10543
  * SECURITY UPDATE: regex intermediate language state corruption
    - debian/patches/fixes/CVE-2020-10878.patch: extract
      rck_elide_nothing in embed.fnc, embed.h, proto.h, regcomp.c.
    - CVE-2020-10878
  * SECURITY UPDATE: regex intermediate language state corruption
    - debian/patches/fixes/CVE-2020-12723.patch: avoid mutating regexp
      program within GOSUB in embed.fnc, embed.h, proto.h, regcomp.c,
      t/re/pat.t.
    - CVE-2020-12723
  * debian/patches/fixes/fix_test_2020.patch: fix FTBFS caused by test
    failing in the year 2020 in cpan/Time-Local/t/Local.t.

 -- Marc Deslauriers <email address hidden> Mon, 19 Oct 2020 06:57:24 -0400

Source diff to previous version
CVE-2020-10543 Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2020-10878 Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could l
CVE-2020-12723 regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

Version: 5.26.1-6ubuntu0.3 2018-12-03 19:06:17 UTC

  perl (5.26.1-6ubuntu0.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Integer overflow leading to buffer overflow
    - debian/patches/fixes/CVE-2018-18311.patch: handle integer wrap in
      util.c.
    - CVE-2018-18311
  * SECURITY UPDATE: Heap-buffer-overflow write / reg_node overrun
    - debian/patches/fixes/CVE-2018-18312.patch: fix logic in regcomp.c.
    - CVE-2018-18312
  * SECURITY UPDATE: Heap-buffer-overflow read
    - debian/patches/fixes/CVE-2018-18313.patch: convert some strchr to
      memchr in regcomp.c.
    - CVE-2018-18313
  * SECURITY UPDATE: Heap-based buffer overflow
    - debian/patches/fixes/CVE-2018-18314.patch: fix extended charclass in
      pod/perldiag.pod, pod/perlrecharclass.pod, regcomp.c,
      t/lib/warnings/regcomp, t/re/reg_mesg.t, t/re/regex_sets.t.
    - CVE-2018-18314

 -- Marc Deslauriers <email address hidden> Mon, 19 Nov 2018 10:54:44 -0500

Source diff to previous version
CVE-2018-18311 Integer overflow leading to buffer overflow and segmentation fault
CVE-2018-18312 Heap-buffer-overflow write in S_regatom (regcomp.c)
CVE-2018-18313 Heap-buffer-overflow read in regcomp.c
CVE-2018-18314 Heap-based buffer overflow

Version: 5.26.1-6ubuntu0.1 2018-06-13 18:06:59 UTC

  perl (5.26.1-6ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Directory traversal vulnerability
    - debian/patches/fixes/CVE-2018-12015.patch: fix ing
      cpan/Archive-Tar/lib/Archive/Tar.pm.
    - CVE-2018-12015

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 12 Jun 2018 16:32:02 -0300

CVE-2018-12015 In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary



About   -   Send Feedback to @ubuntu_updates