Perl vulnerabilities in FreeBSD 11.0-RELEASE-p1

D

dazm_2000

Hi,

I wonder if someone could offer some advice / guidance please?

We are running a few hosts on FreeBSD 11.0-RELEASE-p1, a recent vulnerability scan of these hosts show the following defects in PERL5.24.1 -

CVE-2016-1238: Important unsafe module load path flaw
http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html

p5-XSLoader -- local arbitrary code execution
https://vuxml.freebsd.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html

I've updated ports but it seems the latest release of Perl available is the one we are running with the defects i.e. perl 5, version 24, subversion 1.

What are my options for upgrading Perl to remove these vulnerabilities?.

Many thanks daz
 
 
I'm confused ! ,

Are you saying that perl installed as part of FreeBSD 11.0-RELEASE-p1 -
Code: 
 perl -v
This is perl 5, version 24, subversion 1 (v5.24.1) built for amd64-freebsd-thread-multi
Is actually 5.24.1-RC2?.
 
Doesn't appear to be the case - I updated the ports tree this morning and -
Code: 
xxx@xxx.xxxxx:~ $ cd /usr/ports/lang/perl5
perl5-devel/ perl5.18/    perl5.20/    perl5.22/    perl5.24/    
xxx@xxx.xxxxx:~ $ cd /usr/ports/lang/perl5.24/
xxx@xxx.xxxxx:/usr/ports/lang/perl5.24 $ more distinfo 
TIMESTAMP = 1484491231
SHA256 (perl/perl-5.24.1.tar.xz) = 03a77bac4505c270f1890ece75afc7d4b555090b41aa41ea478747e23b2afb3f
SIZE (perl/perl-5.24.1.tar.xz) = 11569284
So how do I upgrade Perl to the a version that is > perl-5.24.1?

Many thanks !

daz
 
There is no version 5.24.2. The CVEs were against a release candidate of 5.24.1.
 
Here you go please see attached images of scan results -

Thanks Daz

Perl-Vulnerability.PNG
p5-XSLoader-Vulnersbility.PNG
 
You must log in or register to reply here.
Back
Top