1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3501-1] perl security update

    From Salvatore Bonaccorso@1:229/2 to All on Tue Mar 1 16:30:01 2016
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3501-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso
    March 01, 2016 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : perl
    CVE ID : CVE-2016-2381

    Stephane Chazelas discovered a bug in the environment handling in Perl.
    Perl provides a Perl-space hash variable, %ENV, in which environment
    variables can be looked up. If a variable appears twice in envp, only
    the last value would appear in %ENV, but getenv would return the first.
    Perl's taint security mechanism would be applied to the value in %ENV,
    but not to the other rest of the environment. This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint
    checking.

    With this update Perl changes the behavior to match the following:

    a) %ENV is populated with the first environment variable, as getenv
    would return.
    b) Duplicate environment entries are removed.

    For the oldstable distribution (wheezy), this problem has been fixed
    in version 5.14.2-21+deb7u3.

    For the stable distribution (jessie), this problem has been fixed in
    version 5.20.2-3+deb8u4.

    For the unstable distribution (sid), this problem will be fixed in
    version 5.22.1-8.

    We recommend that you upgrade your perl packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJW1bTDAAoJEAVMuPMTQ89En28P/3uLGpzAppXhj4Hik/2lG/Tl +UspDr3Dyl2CSeKmLK/iPexhp66R2fTu3FX0QWvNznYlVe9goQpWAK1fMpFitagO LL3dJgal0dy+pHLmUkqIr1IllEdMoW69Wk0/a6n8Ko0upG7Bjb5BthRtC6EfLdW6 xYND4pzAPENxBmWsgMv1E2gP2FZesPZAmnNM7DjKmOe7uSF5gw3hplZ2Mufkj4oI HIzG248UyhNkCOkYw2uzI8vpeEktzsAnkNgQQzfBtI9aW+4uL8c9JYHztkYUuzWP wqZygN4aIvS8IzlDqQ40jQSqqHM97StAfTJ7vIP6bK8uMTD9tccYCEN0j1OCiTHS e5h3ZbYhdTgWGHDfwZHkmQcfkhAOXjkNu8gxvf4XrXaSXInJwXCtOC9V3It/PrAs gpKug9vC2qhTgNIOqX2JqayoVIH2rtPTfsoYDnl7GKyFs0GsWhrr6h1DR+xTxA8x INrL7MbgF2ydqNnqmp7YAdJAc8c3H8YrW/ERiuW4r/YvD/pUwqbJaF6NFUIqB3v0 o+24ymPgqGQrK08oopNwkgByQs5JvkcOLZKUpos0puwJTZ4f492WFgwFQQOo+V3j pFqcNE9d4LswV+Dymbi8//hpkiT+qL6+N4uTULx5pCUO0KzQD4L2+9Fg4ReO//NI BhdHUyds14H7iDdAZvC5
    =WDZ9
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)