ActivePerl 5.22 Release Notes

For the latest information on ActivePerl, please see the ActiveState website

Build 2204, January 2017

Build 2204 is identical to build 2203 with the exception of the core, which has been updated to 5.22.3. For the non-core changes, refer to the section on build 2203 below.

Bug Fixes and Changes since build 2203

  • The following security vulnerabilities have been addressed:

    CVE-2016-1238

    The tools and many modules supplied in core no longer search the default current directory entry in @INC for optional modules. For example, Storable will remove the final "." from @INC before trying to load Log::Agent.

    This prevents an attacker injecting an optional module into a process run by another user where the current directory is writable by the attacker, e.g. the /tmp directory.

    In most cases this removal should not cause problems, but difficulties were encountered with base, which treats every module name supplied as optional. These difficulties have not yet been resolved, so for this release there are no changes to base. The Perl team hopes to have a fix for base in Perl 5.22.4.

    Please see perldelta for more information on how to protect your own code from this attack.

    CVE-2016-6185

    XSLoader contained a security hole in which binary files could be loaded from a path outside of @INC.

  • Significant changes that have occurred in the Perl 5.22.3 release are documented in perldelta.

  • Most bundled modules have been updated to their latest released version from CPAN. Use the ppm query command to check the exact version included in this release.

Build 2203, January 2017

Build 2203 is a mid-cycle release with updated libraries and modules only. It contains the same core version as the previous build, 5.22.2.

Bug Fixes and Changes since build 2202

  • OpenSSL has been upgraded to version 1.1.0c. For more information on this version, visit https://www.openssl.org/news/openssl-1.1.0-notes.html

    IO-Socket-SSL 2.40 (was 2.27)
    Net-SSLeay 1.78 (was 1.74)
  • GD's supporting libraries have been updated:

    libpng updated to 1.6.26 (was 1.6.21)
    fontconfig updated to 2.12.1 (was 2.11.95)
    freetype2 updated to 2.6.5 (was 2.6.3)
    libgd updated to 2.2.3 (was 2.1.1)
  • The PostgreSQL client library used by DBD-Pg has been upgraded to 9.6.1 in order to support OpenSSL 1.1.0.

  • Most bundled modules have been updated to their latest released version from CPAN. Use the ppm query command to check the exact version included in this release.

  • The installer for ActivePerl on Windows is now signed and should be easier to install.

  • The Mac version of ActivePerl is now distributed as a signed .pkg installer instead of a .dmg bundle and should be easier to install.

Build 2202, June 2016

Build 2202 is based on Perl 5.22.2 plus additional selected changes.

Bug Fixes and Changes since build 2201

  • The following security vulnerabilities have been addressed:

    OpenSSL - multiple fixes

    OpenSSL has been upgraded to 1.0.2h to address several issues. Please see https://www.openssl.org/news/secadv/20160503.txt for full details.

    CVE-2016-2108: Memory corruption in the ASN.1 encoder

    CVE-2016-2107: Padding oracle in AES-NI CBC MAC check

    CVE-2016-2105: EVP_EncodeUpdate overflow

    CVE-2016-2106: EVP_EncryptUpdate overflow

    CVE-2016-2109: ASN.1 BIO excessive memory allocation

    CVE-2016-2176: EBCDIC overread

  • The GD module and supporting libraries have been ugpraded.

    GD updated to 2.56 (was 2.53)
    libjpeg updated to v9b (was v9)
    libpng updated to 1.6.21 (was 1.4.15)
    fontconfig 2.11.95 for libgd added
    freetype2 updated to 2.6.3 (was 2.4.11)
    libgd updated to 2.1.1 (was 2.0.35)
  • Significant changes that have occurred in the Perl 5.22.2 release are documented in perldelta.

  • Most bundled modules have been updated to their latest released version from CPAN. Use the ppm query command to check the exact version included in this release.

Build 2201 January, 2016

Build 2201 is based on Perl 5.22.1 plus additional selected changes.

Bug Fixes and Changes since build 2200

  • The following security vulnerabilities have been addressed:

    OpenSSL - multiple fixes

    OpenSSL has been upgraded to 1.0.2e to address several moderate issues. Please see https://www.openssl.org/news/secadv/20151203.txt for full details.

    CVE-2015-3193: BN_mod_exp may produce incorrect results on x86_64

    CVE-2015-3194: Certificate verify crash with missing PSS parameter

    CVE-2015-3195: X509_ATTRIBUTE memory leak

    CVE-2015-3196: Race condition handling PSK identify hint

    CVE-2015-1794: Anon DH ServerKeyExchange with 0 p parameter

    CVE-2015-8607

    Beginning in PathTools 3.47 and/or perl 5.20.0, the File::Spec::canonpath() routine returned untained strings even if passed tainted input. This defect undermines the guarantee of taint propagation, which is sometimes used to ensure that unvalidated user input does not reach sensitive code.

    CVE-2015-8608

    Perl 5 on Windows suffers from two out-of-bounds read and multiple small buffer over-read vulnerabilities in the VDir::MapPathA and VDir::MapPathW functions that could potentially be exploited to achieve arbitrary code execution.

    These defects have been present since perl-5.005_02-2346-g7766f13, circa 1999, and are still present in the latest releases of Perl.

  • Significant changes that have occurred in the Perl 5.22.1 release are documented in perl5221delta.

  • Most bundled modules have been updated to their latest released version from CPAN. Use the ppm query command to check the exact version included in this release.

Build 2200 June, 2015

What's new in the 2200 Series

  • This build corresponds to the Perl 5.22.0 source code release.

  • The 2200 series builds of ActivePerl are not binary compatible with builds in the 2000 or earlier series. Any extensions built using binaries from the ActivePerl 2000 or earlier series will need to be recompiled. Note especially that this applies to PPM packages that may have been built for earlier series of ActivePerl.

  • Significant changes that have occurred since the 5.20 release are documented in perl5220delta.

  • Most bundled distributions have been updated to their latest released version from CPAN. Use the ppm list command to check the exact version included in this release.