ActiveState announces ActivePerl 5.8.9.826 and 5.10.0.1005

ActiveState announces ActivePerl 5.8.9.826 and 5.10.0.1005

am 01.06.2009 23:11:25 von Jan Dubois

ActiveState is pleased to announce ActivePerl 5.8.9 build 826
and ActivePerl 5.10.0 build 1005, complete, ready-to-install
Perl distributions for Windows, Mac OS X, Linux, Solaris, and AIX.

For detailed information or to download these releases, see:

http://www.activestate.com/Products/activeperl

New in ActivePerl 5.8.9 Build 826
=================================

* The following security vulnerabilities in the Crypt::SSLeay module
were addressed in this release by upgrading the OpenSSL libraries to
version 0.9.8k:

- CVE-2009-0590 (ASN1 printing crash)

The function ASN1_STRING_print_ex() when used to print a BMPString or
UniversalString will crash with an invalid memory access if the
encoded length of the string is illegal.

Any OpenSSL application which prints out the contents of a certificate
could be affected by this bug, including SSL servers, clients and
S/MIME software.

- CVE-2009-0789 (Invalid ASN1 clearing check)

When a malformed ASN1 structure is received its contents are freed up
and zeroed and an error condition returned. On 64-bit Windows this can
cause an invalid memory access later resulting in a crash when some
invalid structures are read, for example RSA public keys.

Any OpenSSL application on 64-bit Windows which uses the public key of
an untrusted certificate could be crashed by a malformed
structure. Including SSL servers, clients, CA and S/MIME software.

- CVE-2008-5077 (Incorrect checks for malformed signatures)

Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error. This issue
affected the signature checks on DSA and ECDSA keys used with SSL/TLS.

One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate
chain to a vulnerable client, bypassing validation.

* PerlEx no longer sets the MOD_PERL environment variable (the change from
build 825 has been reverted), as it has undesirable side-effects.

* The -p function used to always return a false value on Windows. It
now correctly detects if the filehandle argument is a pipe or not. Also
the Fcntl::S_IFIFO constant is now defined.

* A potential buffer overflow in Perl for ISAPI has been fixed. Whenever
Perl for ISAPI wrote an error message to the log file it would
potentially write beyond the end of a heap buffer.

* All bundled modules have been updated to their latest versions.

New in ActivePerl 5.10.0 Build 1005
===================================

The changes in ActivePerl build 1005 are the same as for build 826 with
the exception that PerlEx in build 1004 didn't claim to be mod_perl, so
this didn't need to be reverted.

Latest DBD::mysql binaries for Windows
======================================

In unrelated news, we've also updated the Windows PPM repositories with
the latest DBD::mysql binaries for Perl 5.8, 5.10, and 64-bit 5.10. You
can install them simply by running

ppm install DBD-mysql

Getting Started
===============

Whether you're a first-time user or a long-time fan, our free resources
will help you get the most from ActivePerl.

Mailing list archives:

http://aspn.activestate.com/ASPN/Mail/Browse/Threaded/Active Perl

Feedback
========

Everyone is encouraged to participate in making Perl an even better
language.

For bugs related to ActiveState use:

http://bugs.activestate.com/enter_bug.cgi?product=ActivePerl &version=826
http://bugs.activestate.com/enter_bug.cgi?product=ActivePerl &version=1005

For bugs related directly to Perl please use the 'perlbug' utility.

Enjoy!


_______________________________________________
ActivePerl mailing list
ActivePerl@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs