UbuntuUpdates.org

Package "perl-base"

Name: perl-base

Description:

minimal Perl system

Latest version: 5.38.2-3.2ubuntu0.3
Release: noble (24.04)
Level: security
Repository: main
Head package: perl
Homepage: http://dev.perl.org/perl5/

Links


Download "perl-base"


Other versions of "perl-base" in Noble

Repository Area Version
base main 5.38.2-3.2build2
updates main 5.38.2-3.2ubuntu0.3

Changelog

Version: 5.38.2-3.2ubuntu0.3 2026-06-24 13:07:37 UTC

  perl (5.38.2-3.2ubuntu0.3) noble-security; urgency=high

  * SECURITY UPDATE: path traversal in Archive::Tar symlink/hardlink extraction
    - debian/patches/CVE-2026-42496.patch: validate symlink and hardlink
      targets against absolute paths and directory traversal in
      cpan/Archive-Tar/lib/Archive/Tar.pm
    - CVE-2026-42496
  * SECURITY UPDATE: integer overflow in regular expression compiler
    - debian/patches/CVE-2026-8376_1.patch: add test cases for heap buffer
      overflow via quantified fixed-string regex in t/re/pat_psycho.t
    - debian/patches/CVE-2026-8376_2.patch: add overflow check before
      fixed-string buffer allocation in regcomp.c / regcomp_study.c
    - CVE-2026-8376

 -- Chrisa Oikonomou <email address hidden> Fri, 12 Jun 2026 16:42:23 +0300

Source diff to previous version
CVE-2026-42496 Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file()
CVE-2026-8376 Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_stu

Version: 5.38.2-3.2ubuntu0.2 2025-07-29 19:07:26 UTC

  perl (5.38.2-3.2ubuntu0.2) noble-security; urgency=medium

  * SECURITY UPDATE: threads race condition in file operations
    - debian/patches/fixes/CVE-2025-40909-metaconfig.diff: check for
      fdopendir in regen-configure/U/perl/d_fdopendir.U.
    - debian/patches/fixes/CVE-2025-40909-1.diff: clone dirhandles without
      fchdir in Configure, Cross/config.sh-arm-linux,
      Cross/config.sh-arm-linux-n770, Porting/Glossary, Porting/config.sh,
      config_h.SH, configure.com, plan9/config_sh.sample, sv.c,
      t/op/threads-dirh.t, win32/config.gc, win32/config.vc.
    - debian/patches/fixes/CVE-2025-40909-2.diff: minor corrections in
      Cross/config.sh-arm-linux, Cross/config.sh-arm-linux-n770,
      config_h.SH,plan9/config_sh.sample.
    - debian/patches/fixes/CVE-2025-40909-3.diff: use PerlLIO_dup_cloexec
      in Perl_dirp_dup to set O_CLOEXEC in sv.c.
    - debian/patches/fixes/CVE-2025-40909-metaconfig-reorder.diff: slightly
      reorder Configure and config_h.SH to match metaconfig output in
      Configure, config_h.SH.
    - debian/patches/fixes/CVE-2025-40909-generated.diff: update generated
      files and checksums in uconfig.sh, uconfig64.sh, uconfig.h.
    - CVE-2025-40909

 -- Marc Deslauriers <email address hidden> Fri, 25 Jul 2025 13:26:40 -0400

Source diff to previous version
CVE-2025-40909 Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread crea

Version: 5.38.2-3.2ubuntu0.1 2025-04-14 14:07:24 UTC

  perl (5.38.2-3.2ubuntu0.1) noble-security; urgency=medium

  * SECURITY UPDATE: heap overflow when transliterating non-ASCII bytes
    - debian/patches/CVE-2024-56406.patch: properly calculate needed space
      in op.c.
    - CVE-2024-56406

 -- Marc Deslauriers <email address hidden> Tue, 08 Apr 2025 08:47:54 -0400

CVE-2024-56406 A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development version



About   -   Send Feedback to @ubuntu_updates