Summary: | <dev-lang/perl-5.22.1: denial-of-service / Regexp-matching "hangs" indefinitely on illegal input using binmode :utf8 using 100%CPU (CVE-2015-8853) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | perl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/04/20/5 | ||
Whiteboard: | A3 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 589680 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-04-20 09:29:10 UTC
This is fixed in Perl 5.22.1. It makes no sense to stabilize 5.22.1 now, since 5.22.2 with more security fixes comes out in a few days. -> Let's wait for that. (In reply to Andreas K. Hüttel from comment #1) > This is fixed in Perl 5.22.1. > > It makes no sense to stabilize 5.22.1 now, since 5.22.2 with more security > fixes comes out in a few days. -> Let's wait for that. Perl 5.22.2 was released today and is already available in Gentoo. Stabilization will be handled in bug 567482 after a testing period. Please wait for now; arches will be CC'ed in bug 567482 when we're ready to go ahead. (In reply to Andreas K. Hüttel from comment #2) > (In reply to Andreas K. Hüttel from comment #1) > > This is fixed in Perl 5.22.1. > > > > It makes no sense to stabilize 5.22.1 now, since 5.22.2 with more security > > fixes comes out in a few days. -> Let's wait for that. > > Perl 5.22.2 was released today and is already available in Gentoo. > Stabilization will be handled in bug 567482 after a testing period. Please > wait for now; arches will be CC'ed in bug 567482 when we're ready to go > ahead. Perl 5.22.2 is ready for stabilization; please proceed in bug 567482. There you can find the full list of packages to be stabilized. Added to existing GLSA. This issue was resolved and addressed in GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75 by GLSA coordinator Thomas Deutschmann (whissi). |