# Perl vulnerabilities in FreeBSD 11.0-RELEASE-p1



## dazm_2000 (Apr 24, 2017)

Hi,

I wonder if someone could offer some advice / guidance please?

We are running a few hosts on FreeBSD 11.0-RELEASE-p1, a recent vulnerability scan of these hosts show the following defects in PERL5.24.1 -

CVE-2016-1238: Important unsafe module load path flaw
http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html

p5-XSLoader -- local arbitrary code execution
https://vuxml.freebsd.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html

I've updated ports but it seems the latest release of Perl available is the one we are running with the defects i.e. perl 5, version 24, subversion 1.

What are my options for upgrading Perl to remove these vulnerabilities?. 

Many thanks daz


----------



## SirDice (Apr 24, 2017)

dazm_2000 said:


> CVE-2016-1238: Important unsafe module load path flaw
> http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html


Was updated more than 8 months ago: https://svnweb.freebsd.org/ports?view=revision&revision=420067


dazm_2000 said:


> p5-XSLoader -- local arbitrary code execution
> https://vuxml.freebsd.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html


Also fixed 8 months ago: https://svnweb.freebsd.org/ports?view=revision&revision=419686


----------



## dazm_2000 (Apr 24, 2017)

I'm confused ! , 

Are you saying that perl installed as part of  FreeBSD 11.0-RELEASE-p1 -

```
perl -v
This is perl 5, version 24, subversion 1 (v5.24.1) built for amd64-freebsd-thread-multi
```
Is actually 5.24.1-RC2?.


----------



## dazm_2000 (Apr 24, 2017)

Doesn't appear to be the case -  I updated the ports tree this morning and -

```
xxx@xxx.xxxxx:~ $ cd /usr/ports/lang/perl5
perl5-devel/ perl5.18/    perl5.20/    perl5.22/    perl5.24/    
xxx@xxx.xxxxx:~ $ cd /usr/ports/lang/perl5.24/
xxx@xxx.xxxxx:/usr/ports/lang/perl5.24 $ more distinfo 
TIMESTAMP = 1484491231
SHA256 (perl/perl-5.24.1.tar.xz) = 03a77bac4505c270f1890ece75afc7d4b555090b41aa41ea478747e23b2afb3f
SIZE (perl/perl-5.24.1.tar.xz) = 11569284
```
So how do I upgrade Perl to the a version that is > perl-5.24.1?

Many thanks !

daz


----------



## SirDice (Apr 24, 2017)

There is no version 5.24.2. The CVEs were against a release candidate of 5.24.1.


----------



## SirDice (Apr 24, 2017)

I'd be more worried about the fact it's FreeBSD 11.0-RELEASE-p1. It should be p8 now.

https://www.freebsd.org/security/advisories.html


----------



## dazm_2000 (Apr 24, 2017)

Here you go please see attached images of scan results -

Thanks Daz


----------



## SirDice (Apr 24, 2017)

Affected version, Perl 5.24.1 RC2. Perl 5.24.1 supersedes that.


----------



## dazm_2000 (Apr 24, 2017)

Thank you SirDice!


----------

