SECURITY -- PERL VULNERABILITY

S

S3TH76

First of all I'm sorry that this thread will appear to be off topic but I searched SECURITY category and is not present, so I wrote this here, in this category where, I think, are more services affected on a server.

Well, in this morning I read the internal mail and found out that my server has a vulnerable package to DOS attacks and not only (perl5-5.18.4_11).

So I do a pkg audit perl | more and here it is:
Code: 
Affected versions:
>= 5.16.0 : < 5.16.2_1
>= 5.14.0 : < 5.14.2_3
perl -- denial of service via algoritmic complexity attack on hash routines
CVE: CVE-2013-1667

>= 5.8.0 : 5.8.9
perl -- Directory Permission Race Condition
CVE: CVE-2005-0448

> 5.8.* : < 5.8.8_1
PERL -- regular exxpression unicode data buffer overflow
CVE: CVE-2007-5116

>= 5.8 : < 5.8.6_2
perl -- vulnerabilities in PERLIO_DEBUG handling
CVE: CVE-2005-0156
CVE: CVE-2005-0155

>= 5.8.0 : < 5.8.7_1
>= 5.6.0 : < 5.6.2
perl, webmin, usermin -- perl format string integer wrap vulnerability
CVE: CVE-2005-3962
CVE: CVE-2005-3912

>= 5.8.0 : < 5.8.6
>= 0 : < 5.6.2
perl -- File::Path insecure file/directory permissions
CVE: CVE-2004-0452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0452
Well, the last one is interesteing for me ( >= 0 : < 5.6.2 ). So I was wondering in how much time a patch for these vulnerabilities are released? Or if exist already where it is? Because I'm a little bit freaked out here!

What should I do ?
 
...I come back with a completion and another question. I google it a little bit and found out that I have a perl v5.20 but then, here I go again: why pkg audit perl | more says "1 problem(s) in the installed packages found"?
 
ok... but I'm not convinced, in that page where you make reference is not a single word about [CVE-2004-0452] I can't link anything with it.

Another issue, again, why pkg audit perl says I have 1 problem in installed packages ? perl -v says: perl v5.20.3 so why it say that? Problem of configuration of my pkg.conf or exist a real threat?
 
S3TH76 said:
ok... but I'm not convinced, in that page where you make reference is not a single word about [CVE-2004-0452] I can't link anything with it.
Click to expand...
Because it's a really old one that was patched 12 years ago on a version of Perl that's not even supported anymore.

Another issue, again, why pkg audit perl says I have 1 problem in installed packages ? perl -v says: perl v5.20.3 so why it say that? Problem of configuration of my pkg.conf or exist a real threat?
Click to expand...
Because they're local patches and the version of Perl doesn't change.

https://svnweb.freebsd.org/ports/head/lang/perl5.20/files/?view=log
 
Use pkg audit. A pkg audit <pkgname> shows all security advisories for that package, past and present.
 
Well, I told you already that in a morning when I was verifying my server's logs, I gived the command pkg audit perl because appeared after fetching vulnerability database, that perl5-5.18.4_11 was vulnerable.

So I still don't understand why appeared in my logs(this year - 2016) this warning if that package was fixed in it's previous versions and FreeBSD(several years ago)?

perl -v says: perl v5.20.3 so why it say that? The system can't identify pakages versions or what?

How should I react at similar warnings of other packages? It's an misconfiguration of pkg or other package from my server or what?
 
Again, use pkg audit. Nothing else, no pkg audit <packagename> or anything else. As for looking for specific versions, use pkg version -v. That will actually show you the version, including the port revision of the installed packages.

A pkg audit perl simply shows all available advisories for perl. This includes old ones. It will even show you this list when you don't have perl installed.
 
You must log in or register to reply here.
Back
Top