# SECURITY -- PERL VULNERABILITY



## S3TH76 (May 13, 2016)

First of all I'm sorry that this thread will appear to be off topic but I searched SECURITY category and is not present, so I wrote this here, in this category where, I think, are more services affected on a server.

Well, in this morning I read the internal mail and found out that my server has a vulnerable package to DOS attacks and not only (perl5-5.18.4_11).

So I do a `pkg audit perl | more` and here it is:

```
Affected versions:
>= 5.16.0 : < 5.16.2_1
>= 5.14.0 : < 5.14.2_3
perl -- denial of service via algoritmic complexity attack on hash routines
CVE: CVE-2013-1667

>= 5.8.0 : 5.8.9
perl -- Directory Permission Race Condition
CVE: CVE-2005-0448

> 5.8.* : < 5.8.8_1
PERL -- regular exxpression unicode data buffer overflow
CVE: CVE-2007-5116

>= 5.8 : < 5.8.6_2
perl -- vulnerabilities in PERLIO_DEBUG handling
CVE: CVE-2005-0156
CVE: CVE-2005-0155

>= 5.8.0 : < 5.8.7_1
>= 5.6.0 : < 5.6.2
perl, webmin, usermin -- perl format string integer wrap vulnerability
CVE: CVE-2005-3962
CVE: CVE-2005-3912

>= 5.8.0 : < 5.8.6
>= 0 : < 5.6.2
perl -- File::Path insecure file/directory permissions
CVE: CVE-2004-0452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0452
```
Well, the last one is interesteing for me ( *>= 0 : < 5.6.2* ). So I was wondering in how much time a patch for these vulnerabilities are released? Or if exist already where it is? Because I'm a little bit freaked out here!

What should I do ?


----------



## S3TH76 (May 13, 2016)

...I come back with a completion and another question. I google it a little bit and found out that I have a perl v5.20 but then, here I go again: why `pkg audit perl | more` says "1 problem(s) in the installed packages found"?


----------



## SirDice (May 13, 2016)

S3TH76 said:


> So I was wondering in how much time a patch for these vulnerabilities are released?


Already fixed.

PR 208879


----------



## S3TH76 (May 13, 2016)

ok... but I'm not convinced, in that page where you make reference is not a single word about *[CVE-2004-0452]* I can't link anything with it.

Another issue, again, why pkg audit perl says I have *1 problem in installed packages* ? *perl -v* says: *perl v5.20.3* so why it say that? Problem of configuration of my pkg.conf or exist a real threat?


----------



## SirDice (May 13, 2016)

S3TH76 said:


> ok... but I'm not convinced, in that page where you make reference is not a single word about *[CVE-2004-0452]* I can't link anything with it.


Because it's a really old one that was patched 12 years ago on a version of Perl that's not even supported anymore.



> Another issue, again, why pkg audit perl says I have *1 problem in installed packages* ? *perl -v* says: *perl v5.20.3* so why it say that? Problem of configuration of my pkg.conf or exist a real threat?


Because they're local patches and the version of Perl doesn't change.

https://svnweb.freebsd.org/ports/head/lang/perl5.20/files/?view=log


----------



## S3TH76 (May 19, 2016)

ok, good, and what should I do to stop seeing that message? And why it does appeared now?


----------



## SirDice (May 19, 2016)

Use `pkg audit`. A `pkg audit <pkgname>` shows all security advisories for that package, past and present.


----------



## S3TH76 (May 19, 2016)

I used it. All the time but until then that error didn't appeared...


----------



## SirDice (May 19, 2016)

What error?


----------



## S3TH76 (May 24, 2016)

Well, I told you already that in a morning when I was verifying my server's logs, I gived the command`pkg audit perl` because appeared after fetching vulnerability database, that perl5-5.18.4_11 was vulnerable. 

So I still don't understand why appeared in my logs(this year - 2016) this warning if that package was fixed in it's previous versions and FreeBSD(several years ago)? 

*perl -v* says: *perl v5.20.3* so why it say that? The system can't identify pakages versions or what?

How should I react at similar warnings of other packages? It's an misconfiguration of pkg or other package from my server or what?


----------



## SirDice (May 24, 2016)

Again, use `pkg audit`. Nothing else, no `pkg audit <packagename>` or anything else. As for looking for specific versions, use `pkg version -v`. That will actually show you the version, including the port revision of the installed packages. 

A `pkg audit perl` simply shows *all* available advisories for perl. This includes old ones. It will even show you this list when you don't have perl installed.


----------

