There's a new Perl version to fix a couple of vulnerabilities...



Package : perl
Vulnerability : insecure temporary files / directories
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0452 CAN-2004-0976

Several vulnerabilities have been discovered in Perl, the popular
scripting language. The Common Vulnerabilities and Exposures project
identifies the following problems:

CAN-2004-0452

Jeroen van Wolffelaar discovered that the rmtree() function in the
File::Path module removes directory trees in an insecure manner
which could lead to the removal of arbitrary files and directories
through a symlink attack.

CAN-2004-0976

Trustix developers discovered several insecure uses of temporary
files in many modules which allow a local attacker to overwrite
files via a symlink attack.

For the stable distribution (woody) these problems have been fixed in
version 5.6.1-8.8.

For the unstable distribution (sid) these problems have been fixed in
version 5.8.4-5.

you on a redhat machine?

do you have an rpm install of perl or are you building it from source.

Thanks,

Van

I'm gonna give it a day or so to see if John can get it updated here - else I'll just rebuild later tomorrow.

Happy new year - updates fast and furious :)

how are you doing this?

i have a perl rpm and i want to update with this new one, what's the best way to go about it?

Any updates on this.. ?:cool:

yes my system is sitting wide open. need a fix for this asap, an updated perl rpm would be great because it appears i cannot remove the old RH one because of all the dependencies.

Well, the initial distro RPM failed meeting DA's dependencies on a test box - hopefully we can prod John and the DA crew into releasing this upgrade soon...

I haven't tried with a more recent distro yet for Fedora or RH9

the perl rpm installed is a custom made one?

perl-5.6.1-36.1.73

odd, I just looked at a couple of my boxes -hadn't noticed this previously:

Fedora:
# perl -v

This is perl, v5.8.3

RH9:
# perl -v

This is perl, v5.8.0

That'd explain why I was having "issues" ... hmm.. that warning just came out, wonder if it's an older notice.

You're running 5.6?

i am...i am wondering if that's just a RH 7.3 original rpm that has not been patched forever. do you have the link to the full advisory?

I'm sure I got it from the securityfocus mailing list - here's a posted copy:

http://www.ciac.org/ciac/bulletins/p-086.shtml

http://www.linuxcompatible.org/story39440.html

really not sure what i should do, i think the best bet would be to install from src but removing that rpm will probably break a lot of stuff so i'm not really sure how to go about this.

I think I'd PM or email John - support@ Directadmin . com

Ask him before you do anything like removing the RPM

yeah i sent them a ticket :)

i will hold tight for now, i think i need to start looking into a different os that has good updates.

Fedora Core or CentOS.... most stable I've seen. DA loves FC ... truly!

fedora is redhats test os though, they could throw numbers of buggy apps into it. don't you have to upgrade the core everytime it comes out using a cd?

another question, because this was a debian vulnerability does it apply to my redhat perl version?

From the original post:

Debian-specific: no

I dont think (but am not certain) that it's Debian specific.. at least thats what I interpret it as

Originally posted by vandal
fedora is redhats test os though, they could throw numbers of buggy apps into it. don't you have to upgrade the core everytime it comes out using a cd?

Heck no... a simply update, and BAM...

I just took several from FC1 to FC3 within about 15 minutes each.

ahh, ok i bet my version is vulernable. I think cpanel uses a tar based perl install maybe DA should do the same, not too sure about that though.

ok the fedoralegacy guys are working on it as we speak.

not sure how much longer until they get the updates out.

https://bugzilla.fedora.us/show_bug.cgi?id=2261


so i guess we just sit tight.

Hello,

As for our position on this issue, DA does not monitor what version of perl used, nor does it really make any changes to what you've got.

All DA needs is for a version of perl to be on the system. As for the issue in this thread, is the responsibility of server administrator to keep perl updated if he choses (along with the other services).

John

If you do upgrade perl remember to reinstall all your perl modules.

Just to add for general information (I don't think any of the previous posts made it clear):

1) If you're using a properly configured RHEL, WBEL, CentOS, or Fedora system with YUM installed it should automatically install the latest versions of all software installed by RPMs.

If you're using earlier versions of either RHL 7.x or RHL 9, then you're stuck with either a Progeny Transition memership or the free Fedora Legacy Project, and manual installation.

(If you're using FreeBSD or one of the other linuxes, I really can't help you as I don't have enough experience :( .)

2) RedHat, and perhaps other RPM-based distributions as well (I'm not sure) do not update major release numbers, as doing so would break dependencies in the RPM database. Instead they backport the fixes into the original numbered sourcecode and update the minor numbers. Rootkit hunter (and many humans) won't like this, but it's perfectly safe.

Jeff

FreeBSD 5.3 was easy to update.

I downloaded the stable.tar.gz file from http://www.perl.com/download.csp#stable

did a
tar -zxvf stable.tar.gz
cd perl-5.8.6
./configure.gnu
make
make install

Something in that area, I'm writing this off the top of my head. However, my upgrade worked.

If updating FreeBSD port (Freebsd perl comes as port not base)

then its easy.

1 - cvsup ports tree
2 - install portupgrade if you dont have it
3 - portupgrade -o lang/perl5.8 perl-5.6.1

Subsititute perl-5.6.1 for the current version of perl installed, if you already have 5.8.x installed then a normal portupgrade will upgrade perl for you.

4 - portupgrade -f $(find /usr/local/lib/perl5/site_perl/5.6.1 -type f -print0|xargs -0 pkg_which -fv|sed -e 's/.*: //g'|sort -u)

Substitute 5.6.1 for old version. This will reinstall all perl modules and other ports that depend on perl.

5 - use.perl port

This will symlink the new bin to /usr/bin/perl and add entries to make.conf so future ports installed use perl 5.8.5 (latest version)

Perfect! No error generated. Will test some more.

use.perl port is not needed anymore. symlinks and make.conf are created by perl-5.8.6.

red hat enterprize 3


what is the install ?