ActiveState announces ActivePerl 5.8.9.826 and 5.10.0.1005
by Jan Dubois other posts by this author
Jun 1 2009 2:11PM messages near this date
Moens, Karl is out of the office.
|
Calendar in Tkx
ActiveState is pleased to announce ActivePerl 5.8.9 build 826
and ActivePerl 5.10.0 build 1005, complete, ready-to-install
Perl distributions for Windows, Mac OS X, Linux, Solaris, and AIX.
For detailed information or to download these releases, see:
http://www.activestate.com/Products/activeperl
New in ActivePerl 5.8.9 Build 826
=================================
* The following security vulnerabilities in the Crypt::SSLeay module
were addressed in this release by upgrading the OpenSSL libraries to
version 0.9.8k:
- CVE-2009-0590 (ASN1 printing crash)
The function ASN1_STRING_print_ex() when used to print a BMPString or
UniversalString will crash with an invalid memory access if the
encoded length of the string is illegal.
Any OpenSSL application which prints out the contents of a certificate
could be affected by this bug, including SSL servers, clients and
S/MIME software.
- CVE-2009-0789 (Invalid ASN1 clearing check)
When a malformed ASN1 structure is received its contents are freed up
and zeroed and an error condition returned. On 64-bit Windows this can
cause an invalid memory access later resulting in a crash when some
invalid structures are read, for example RSA public keys.
Any OpenSSL application on 64-bit Windows which uses the public key of
an untrusted certificate could be crashed by a malformed
structure. Including SSL servers, clients, CA and S/MIME software.
- CVE-2008-5077 (Incorrect checks for malformed signatures)
Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error. This issue
affected the signature checks on DSA and ECDSA keys used with SSL/TLS.
One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate
chain to a vulnerable client, bypassing validation.
* PerlEx no longer sets the MOD_PERL environment variable (the change from
build 825 has been reverted), as it has undesirable side-effects.
* The -p function used to always return a false value on Windows. It
now correctly detects if the filehandle argument is a pipe or not. Also
the Fcntl::S_IFIFO constant is now defined.
* A potential buffer overflow in Perl for ISAPI has been fixed. Whenever
Perl for ISAPI wrote an error message to the log file it would
potentially write beyond the end of a heap buffer.
* All bundled modules have been updated to their latest versions.
New in ActivePerl 5.10.0 Build 1005
===================================
The changes in ActivePerl build 1005 are the same as for build 826 with
the exception that PerlEx in build 1004 didn't claim to be mod_perl, so
this didn't need to be reverted.
Latest DBD::mysql binaries for Windows
======================================
In unrelated news, we've also updated the Windows PPM repositories with
the latest DBD::mysql binaries for Perl 5.8, 5.10, and 64-bit 5.10. You
can install them simply by running
ppm install DBD-mysql
Getting Started
===============
Whether you're a first-time user or a long-time fan, our free resources
will help you get the most from ActivePerl.
Mailing list archives:
http://aspn.activestate.com/ASPN/Mail/Browse/Threaded/ActivePerl
Feedback
========
Everyone is encouraged to participate in making Perl an even better
language.
For bugs related to ActiveState use:
http://bugs.activestate.com/enter_bug.cgi?product=ActivePerl&version=826
http://bugs.activestate.com/enter_bug.cgi?product=ActivePerl&version=1005
For bugs related directly to Perl please use the 'perlbug' utility.
Enjoy!
_______________________________________________
ActivePerl mailing list
ActivePerl@[...].com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
|
