New Perl 5.6.1-8.8

[hostpc.com]

There's a new Perl version to fix a couple of vulnerabilities...



Package : perl
Vulnerability : insecure temporary files / directories
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0452 CAN-2004-0976

Several vulnerabilities have been discovered in Perl, the popular
scripting language. The Common Vulnerabilities and Exposures project
identifies the following problems:

CAN-2004-0452

Jeroen van Wolffelaar discovered that the rmtree() function in the
File:ath module removes directory trees in an insecure manner
which could lead to the removal of arbitrary files and directories
through a symlink attack.

CAN-2004-0976

Trustix developers discovered several insecure uses of temporary
files in many modules which allow a local attacker to overwrite
files via a symlink attack.

For the stable distribution (woody) these problems have been fixed in
version 5.6.1-8.8.

For the unstable distribution (sid) these problems have been fixed in
version 5.8.4-5.

 

[vandal]

you on a redhat machine?

do you have an rpm install of perl or are you building it from source.

Thanks,

Van

 

[hostpc.com]

I'm gonna give it a day or so to see if John can get it updated here - else I'll just rebuild later tomorrow.

Happy new year - updates fast and furious

 

[vandal]

how are you doing this?

i have a perl rpm and i want to update with this new one, what's the best way to go about it?

 

[dec]

Any updates on this.. ?

 

[vandal]

yes my system is sitting wide open. need a fix for this asap, an updated perl rpm would be great because it appears i cannot remove the old RH one because of all the dependencies.

 

[hostpc.com]

Well, the initial distro RPM failed meeting DA's dependencies on a test box - hopefully we can prod John and the DA crew into releasing this upgrade soon...

I haven't tried with a more recent distro yet for Fedora or RH9

 

[vandal]

the perl rpm installed is a custom made one?

perl-5.6.1-36.1.73

 

[hostpc.com]

odd, I just looked at a couple of my boxes -hadn't noticed this previously:

Fedora:
# perl -v

This is perl, v5.8.3

RH9:
# perl -v

This is perl, v5.8.0

That'd explain why I was having "issues" ... hmm.. that warning just came out, wonder if it's an older notice.

You're running 5.6?

 

[vandal]

i am...i am wondering if that's just a RH 7.3 original rpm that has not been patched forever. do you have the link to the full advisory?

 

[hostpc.com]

I'm sure I got it from the securityfocus mailing list - here's a posted copy:

http://www.ciac.org/ciac/bulletins/p-086.shtml

http://www.linuxcompatible.org/story39440.html

 

[vandal]

really not sure what i should do, i think the best bet would be to install from src but removing that rpm will probably break a lot of stuff so i'm not really sure how to go about this.

 

[hostpc.com]

I think I'd PM or email John - support@ Directadmin . com

Ask him before you do anything like removing the RPM

 

[vandal]

yeah i sent them a ticket

i will hold tight for now, i think i need to start looking into a different os that has good updates.

 

[hostpc.com]

Fedora Core or CentOS.... most stable I've seen. DA loves FC ... truly!

 

[vandal]

fedora is redhats test os though, they could throw numbers of buggy apps into it. don't you have to upgrade the core everytime it comes out using a cd?

 

[vandal]

another question, because this was a debian vulnerability does it apply to my redhat perl version?

 

[hostpc.com]

From the original post:

Debian-specific: no

I dont think (but am not certain) that it's Debian specific.. at least thats what I interpret it as

 

[hostpc.com]

fedora is redhats test os though, they could throw numbers of buggy apps into it. don't you have to upgrade the core everytime it comes out using a cd?

Heck no... a simply update, and BAM...

I just took several from FC1 to FC3 within about 15 minutes each.

 

[vandal]

ahh, ok i bet my version is vulernable. I think cpanel uses a tar based perl install maybe DA should do the same, not too sure about that though.