UbuntuUpdates.org

Package "perl"

Name: perl

Description:

Larry Wall's Practical Extraction and Report Language
Latest version: 5.34.0-3ubuntu1.3
Release: jammy (22.04)
Level: security
Repository: main
Homepage: http://dev.perl.org/perl5/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "perl"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "perl" in Jammy

Repository Area Version
base main 5.34.0-3ubuntu1
updates main 5.34.0-3ubuntu1.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 5.34.0-3ubuntu1.3 2023-11-27 15:07:03 UTC

  perl (5.34.0-3ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: heap overflow via regular expression
    - debian/patches/CVE-2023-47038.patch: fix read/write past buffer end
      in regcomp.c, t/re/pat_advanced.t.
    - CVE-2023-47038
  * SECURITY UPDATE: infinite recursion via warning message printing
    - debian/patches/CVE-2022-48522.patch: fix warning handling in sv.c,
      t/lib/warnings/sv.
    - CVE-2022-48522

 -- Marc Deslauriers <email address hidden> Thu, 23 Nov 2023 09:56:46 -0500
Source diff to previous version
CVE-2023-47038 Write past buffer end via illegal user-defined Unicode property
CVE-2022-48522 In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.

Version: 5.34.0-3ubuntu1.2 2023-06-05 13:07:10 UTC

  perl (5.34.0-3ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: insecure default TLS configuration in HTTP::Tiny module
    - debian/patches/CVE-2023-31484.patch: add verify_SSL=>1 to HTTP::Tiny to
      verify https server identity.
    - CVE-2023-31484

 -- Camila Camargo de Matos <email address hidden> Tue, 23 May 2023 14:18:13 -0300
Source diff to previous version
CVE-2023-31484 CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Version: 5.34.0-3ubuntu1.1 2022-10-19 14:06:29 UTC

  perl (5.34.0-3ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Signature verification bypass
    - debian/patches/CVE-2020-16156-1.patch: signature
      verification type CANNOT_VERIFY was not recognized
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debia/patches/CVE-2020-16156-2.patch: add two new failure modes
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-3.patch: use gpg
      to disentangle data and signature in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-4.patch: replacing die with mydie in
      three spots in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-5.patch: disambiguate the call
      to gpg --output by adding --verify in
      cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-6.patch: corrects typo
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - debian/patches/CVE-2020-16156-7.patch: corrects typo
      in cpan/CPAN/lib/CPAN/Distribution.pm.
    - CVE-2020-16156

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 04 Oct 2022 15:16:23 -0300
CVE-2020-16156 CPAN 2.28 allows Signature Verification Bypass.


About   -   Send Feedback to @ubuntu_updates