CVE-2009-3626 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3626): Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.
5.10.1 was fixed: | 27 Oct 2009; Torsten Veller <tove@gentoo.org> perl-5.10.1.ebuild: | Fix RT69973: disable non-unicode case insensitive trie matching (#290194) 5.8.8 is not vulerable.
I only grepped for the CVE identifier and UTF. #290194 only lists dev-perl/HTML-Parser and has a different CVE; I didn't look into this too deeply...if I understood it correctly, you are 100% it's the same bug/already fixed? I'm just wondering about the different CVE numbers.
(In reply to comment #2) > if I understood it correctly, you are 100% it's the same bug/already > fixed? I'm just wondering about the different CVE numbers. Jepp. Bug #290194 links the spamassassin bug which is about the HTML-Parser and the perl bug so both were fixed.
*** This bug has been marked as a duplicate of bug 290194 ***
27 Oct 2009; Torsten Veller <tove@gentoo.org> perl-5.10.1.ebuild: Fix RT69973: disable non-unicode case insensitive trie matching (#290194) Changing the ebuild in place does not fix the vulnerability for users that have it installed. Please revbump.
perl-5.10.1 is still package.mask'ed and i left a note on the tracker bug <https://bugs.gentoo.org/show_bug.cgi?id=280724#c1> to bump i when it gets unmasked.
Ok, I was not aware it is p.masked. Sorry for the noise.
