Tracker that will at some point be turned into a stablerequest. No talking here please.
Provisionary stabilization list: =dev-lang/perl-5.22.2 =virtual/perl-Archive-Tar-2.40.0 =virtual/perl-Attribute-Handlers-0.970.0 =virtual/perl-B-Debug-1.230.0 =virtual/perl-CPAN-2.110.0 =virtual/perl-CPAN-Meta-2.150.1 =virtual/perl-CPAN-Meta-Requirements-2.132.0 =virtual/perl-Carp-1.360.0 =virtual/perl-Compress-Raw-Bzip2-2.68.0 =virtual/perl-Compress-Raw-Zlib-2.68.0 =virtual/perl-DB_File-1.835.0 =virtual/perl-Data-Dumper-2.158.0 =virtual/perl-Devel-PPPort-3.310.0 =virtual/perl-Digest-MD5-2.540.0 =virtual/perl-Digest-SHA-5.950.0 =virtual/perl-Exporter-5.720.0 =virtual/perl-ExtUtils-CBuilder-0.280.221 =virtual/perl-ExtUtils-Command-1.200.0 =virtual/perl-ExtUtils-Install-2.40.0 =virtual/perl-ExtUtils-MakeMaker-7.40.100_rc =virtual/perl-ExtUtils-Manifest-1.700.0-r1 =virtual/perl-ExtUtils-ParseXS-3.280.0 =virtual/perl-File-Spec-3.560.100 =virtual/perl-Filter-Simple-0.920.0 =virtual/perl-Getopt-Long-2.450.0 =virtual/perl-HTTP-Tiny-0.54.0 =virtual/perl-IO-1.350.0 =virtual/perl-IO-Compress-2.68.0 =virtual/perl-IO-Socket-IP-0.370.0 =virtual/perl-JSON-PP-2.273.0 =virtual/perl-Locale-Maketext-1.260.0 =virtual/perl-MIME-Base64-3.150.0 =virtual/perl-Math-BigInt-1.999.700 =virtual/perl-Math-BigRat-0.260.800 =virtual/perl-Module-CoreList-5.201.604.290 =virtual/perl-Module-Load-Conditional-0.640.0 =virtual/perl-Module-Metadata-1.0.26 =virtual/perl-Perl-OSType-1.8.0 =virtual/perl-Pod-Escapes-1.70.0 =virtual/perl-Pod-Parser-1.630.0 =virtual/perl-Pod-Simple-3.290.0 =virtual/perl-Safe-2.390.0 =virtual/perl-Scalar-List-Utils-1.410.0 =virtual/perl-Socket-2.18.0 =virtual/perl-Storable-2.530.100-r1 =virtual/perl-Term-ANSIColor-4.30.0 =virtual/perl-Term-ReadLine-1.150.0 =virtual/perl-Test-Harness-3.350.0 =virtual/perl-Test-Simple-1.1.14 =virtual/perl-Text-Balanced-2.30.0 =virtual/perl-Text-ParseWords-3.300.0 =virtual/perl-Time-Piece-1.290.0 =virtual/perl-Unicode-Collate-1.120.0 =virtual/perl-Unicode-Normalize-1.180.0 =virtual/perl-XSLoader-0.200.0 =virtual/perl-autodie-2.260.0 =virtual/perl-bignum-0.390.0 =virtual/perl-if-0.60.400 =virtual/perl-libnet-3.50.0 =virtual/perl-parent-0.232.0 =virtual/perl-threads-2.10.0 =virtual/perl-threads-shared-1.480.0
In virtual/perl-Encode-2.730.0 ebuild there is a comment: "# stabilize this together with dev-lang/perl-5.22*" Shall we add it to the list?
(In reply to Paolo Pedroni from comment #2) > In virtual/perl-Encode-2.730.0 ebuild there is a comment: > > "# stabilize this together with dev-lang/perl-5.22*" > > Shall we add it to the list? Yes, thank you.
Arches please test and stabilize the whole list below simultaneously. target: all stable arches This fixes several CVEs (some not in Gentoo bugzilla yet), so please give it some priority. If you have a clean deptree installed (e.g. no updates prevented by dependencies), and if you have recently run depclean, this should merge fine without any blockers, and also rebuild all your perl modules via the subslot change. If it does not, talk to me please. =dev-lang/perl-5.22.2 =perl-core/Encode-2.730.0 =virtual/perl-Archive-Tar-2.40.0 =virtual/perl-Attribute-Handlers-0.970.0 =virtual/perl-B-Debug-1.230.0 =virtual/perl-CPAN-2.110.0 =virtual/perl-CPAN-Meta-2.150.1 =virtual/perl-CPAN-Meta-Requirements-2.132.0 =virtual/perl-Carp-1.360.0 =virtual/perl-Compress-Raw-Bzip2-2.68.0 =virtual/perl-Compress-Raw-Zlib-2.68.0 =virtual/perl-DB_File-1.835.0 =virtual/perl-Data-Dumper-2.158.0 =virtual/perl-Devel-PPPort-3.310.0 =virtual/perl-Digest-MD5-2.540.0 =virtual/perl-Digest-SHA-5.950.0 =virtual/perl-Encode-2.730.0 =virtual/perl-Exporter-5.720.0 =virtual/perl-ExtUtils-CBuilder-0.280.221 =virtual/perl-ExtUtils-Command-1.200.0 =virtual/perl-ExtUtils-Install-2.40.0 =virtual/perl-ExtUtils-MakeMaker-7.40.100_rc =virtual/perl-ExtUtils-Manifest-1.700.0-r1 =virtual/perl-ExtUtils-ParseXS-3.280.0 =virtual/perl-File-Spec-3.560.100 =virtual/perl-Filter-Simple-0.920.0 =virtual/perl-Getopt-Long-2.450.0 =virtual/perl-HTTP-Tiny-0.54.0 =virtual/perl-IO-1.350.0 =virtual/perl-IO-Compress-2.68.0 =virtual/perl-IO-Socket-IP-0.370.0 =virtual/perl-JSON-PP-2.273.0 =virtual/perl-Locale-Maketext-1.260.0 =virtual/perl-MIME-Base64-3.150.0 =virtual/perl-Math-BigInt-1.999.700 =virtual/perl-Math-BigRat-0.260.800 =virtual/perl-Module-CoreList-5.201.604.290 =virtual/perl-Module-Load-Conditional-0.640.0 =virtual/perl-Module-Metadata-1.0.26 =virtual/perl-Perl-OSType-1.8.0 =virtual/perl-Pod-Escapes-1.70.0 =virtual/perl-Pod-Parser-1.630.0 =virtual/perl-Pod-Simple-3.290.0 =virtual/perl-Safe-2.390.0 =virtual/perl-Scalar-List-Utils-1.410.0 =virtual/perl-Socket-2.18.0 =virtual/perl-Storable-2.530.100-r1 =virtual/perl-Term-ANSIColor-4.30.0 =virtual/perl-Term-ReadLine-1.150.0 =virtual/perl-Test-Harness-3.350.0 =virtual/perl-Test-Simple-1.1.14 =virtual/perl-Text-Balanced-2.30.0 =virtual/perl-Text-ParseWords-3.300.0 =virtual/perl-Time-Piece-1.290.0 =virtual/perl-Unicode-Collate-1.120.0 =virtual/perl-Unicode-Normalize-1.180.0 =virtual/perl-XSLoader-0.200.0 =virtual/perl-autodie-2.260.0 =virtual/perl-bignum-0.390.0 =virtual/perl-if-0.60.400 =virtual/perl-libnet-3.50.0 =virtual/perl-parent-0.232.0 =virtual/perl-threads-2.10.0 =virtual/perl-threads-shared-1.480.0
Arches please hold for a moment. The release of 5.24 came earlier than expected, and some of the virtuals will see revision bumps because of new providers. I'll CC you back as soon as the updated stabilization list for 5.22 is ready (likely within 1-2 days). No code changes, only virtual revision number changes.
Arches please test and stabilize the whole list below simultaneously. Target: all stable arches Updated stabilization list; changes are: * one missing perl-core package and one missing virtual added * several virtuals rev-bumped (because of additional provider Perl 5.24) This fixes several CVEs (some not in Gentoo bugzilla yet), so please give it some priority. If you have a clean deptree installed (e.g. no updates prevented by dependencies), and if you have recently run depclean, this should merge fine without any blockers, and also rebuild all your perl modules via the subslot change. If it does not, talk to me please. =dev-lang/perl-5.22.2 =perl-core/Encode-2.730.0 =perl-core/Package-Constants-0.60.0 =virtual/perl-Archive-Tar-2.40.0-r1 =virtual/perl-Attribute-Handlers-0.970.0 =virtual/perl-B-Debug-1.230.0-r1 =virtual/perl-CPAN-2.110.0-r1 =virtual/perl-CPAN-Meta-2.150.1 =virtual/perl-CPAN-Meta-Requirements-2.132.0 =virtual/perl-Carp-1.360.0 =virtual/perl-Compress-Raw-Bzip2-2.68.0 =virtual/perl-Compress-Raw-Zlib-2.68.0 =virtual/perl-DB_File-1.835.0-r1 =virtual/perl-Data-Dumper-2.158.0 =virtual/perl-Devel-PPPort-3.310.0 =virtual/perl-Digest-MD5-2.540.0-r1 =virtual/perl-Digest-SHA-5.950.0-r1 =virtual/perl-Encode-2.730.0 =virtual/perl-Exporter-5.720.0-r1 =virtual/perl-ExtUtils-CBuilder-0.280.221 =virtual/perl-ExtUtils-Command-1.200.0 =virtual/perl-ExtUtils-Install-2.40.0-r1 =virtual/perl-ExtUtils-MakeMaker-7.40.100_rc =virtual/perl-ExtUtils-Manifest-1.700.0-r2 =virtual/perl-ExtUtils-ParseXS-3.280.0 =virtual/perl-File-Spec-3.560.100 =virtual/perl-Filter-Simple-0.920.0-r1 =virtual/perl-Getopt-Long-2.450.0 =virtual/perl-HTTP-Tiny-0.54.0 =virtual/perl-IO-1.350.0 =virtual/perl-IO-Compress-2.68.0 =virtual/perl-IO-Socket-IP-0.370.0-r1 =virtual/perl-JSON-PP-2.273.0-r1 =virtual/perl-Locale-Maketext-1.260.0-r1 =virtual/perl-MIME-Base64-3.150.0-r1 =virtual/perl-Math-BigInt-1.999.700 =virtual/perl-Math-BigRat-0.260.800 =virtual/perl-Module-CoreList-5.201.604.290 =virtual/perl-Module-Load-Conditional-0.640.0-r1 =virtual/perl-Module-Metadata-1.0.26 =virtual/perl-Package-Constants-0.60.0 =virtual/perl-Perl-OSType-1.8.0 =virtual/perl-Pod-Escapes-1.70.0-r1 =virtual/perl-Pod-Parser-1.630.0-r1 =virtual/perl-Pod-Simple-3.290.0 =virtual/perl-Safe-2.390.0-r1 =virtual/perl-Scalar-List-Utils-1.410.0 =virtual/perl-Socket-2.18.0 =virtual/perl-Storable-2.530.100-r1 =virtual/perl-Term-ANSIColor-4.30.0 =virtual/perl-Term-ReadLine-1.150.0-r1 =virtual/perl-Test-Harness-3.350.0 =virtual/perl-Test-Simple-1.1.14-r1 =virtual/perl-Text-Balanced-2.30.0-r1 =virtual/perl-Text-ParseWords-3.300.0-r1 =virtual/perl-Time-Piece-1.290.0 =virtual/perl-Unicode-Collate-1.120.0 =virtual/perl-Unicode-Normalize-1.180.0 =virtual/perl-XSLoader-0.200.0 =virtual/perl-autodie-2.260.0 =virtual/perl-bignum-0.390.0 =virtual/perl-if-0.60.400 =virtual/perl-libnet-3.50.0 =virtual/perl-parent-0.232.0 =virtual/perl-threads-2.10.0 =virtual/perl-threads-shared-1.480.0
arm stable
Stable on alpha.
Arches please test and stabilize the whole list below simultaneously. Target: all stable arches Updated stabilization list; changes are: * virtual/perl-Test-Simple changed to newer virtual (_p522) that only resolves to dev-lang/perl instead of falling back to perl-core/Test-* ( Fix for bug #584238 ) If you have a clean deptree installed (e.g. no updates prevented by dependencies), and if you have recently run depclean, this should merge fine without any blockers, and also rebuild all your perl modules via the subslot change. If it does not, talk to me please. =dev-lang/perl-5.22.2 =perl-core/Encode-2.730.0 =perl-core/Package-Constants-0.60.0 =virtual/perl-Archive-Tar-2.40.0-r1 =virtual/perl-Attribute-Handlers-0.970.0 =virtual/perl-B-Debug-1.230.0-r1 =virtual/perl-CPAN-2.110.0-r1 =virtual/perl-CPAN-Meta-2.150.1 =virtual/perl-CPAN-Meta-Requirements-2.132.0 =virtual/perl-Carp-1.360.0 =virtual/perl-Compress-Raw-Bzip2-2.68.0 =virtual/perl-Compress-Raw-Zlib-2.68.0 =virtual/perl-DB_File-1.835.0-r1 =virtual/perl-Data-Dumper-2.158.0 =virtual/perl-Devel-PPPort-3.310.0 =virtual/perl-Digest-MD5-2.540.0-r1 =virtual/perl-Digest-SHA-5.950.0-r1 =virtual/perl-Encode-2.730.0 =virtual/perl-Exporter-5.720.0-r1 =virtual/perl-ExtUtils-CBuilder-0.280.221 =virtual/perl-ExtUtils-Command-1.200.0 =virtual/perl-ExtUtils-Install-2.40.0-r1 =virtual/perl-ExtUtils-MakeMaker-7.40.100_rc =virtual/perl-ExtUtils-Manifest-1.700.0-r2 =virtual/perl-ExtUtils-ParseXS-3.280.0 =virtual/perl-File-Spec-3.560.100 =virtual/perl-Filter-Simple-0.920.0-r1 =virtual/perl-Getopt-Long-2.450.0 =virtual/perl-HTTP-Tiny-0.54.0 =virtual/perl-IO-1.350.0 =virtual/perl-IO-Compress-2.68.0 =virtual/perl-IO-Socket-IP-0.370.0-r1 =virtual/perl-JSON-PP-2.273.0-r1 =virtual/perl-Locale-Maketext-1.260.0-r1 =virtual/perl-MIME-Base64-3.150.0-r1 =virtual/perl-Math-BigInt-1.999.700 =virtual/perl-Math-BigRat-0.260.800 =virtual/perl-Module-CoreList-5.201.604.290 =virtual/perl-Module-Load-Conditional-0.640.0-r1 =virtual/perl-Module-Metadata-1.0.26 =virtual/perl-Package-Constants-0.60.0 =virtual/perl-Perl-OSType-1.8.0 =virtual/perl-Pod-Escapes-1.70.0-r1 =virtual/perl-Pod-Parser-1.630.0-r1 =virtual/perl-Pod-Simple-3.290.0 =virtual/perl-Safe-2.390.0-r1 =virtual/perl-Scalar-List-Utils-1.410.0 =virtual/perl-Socket-2.18.0 =virtual/perl-Storable-2.530.100-r1 =virtual/perl-Term-ANSIColor-4.30.0 =virtual/perl-Term-ReadLine-1.150.0-r1 =virtual/perl-Test-Harness-3.350.0 =virtual/perl-Test-Simple-1.1.14_p522 =virtual/perl-Text-Balanced-2.30.0-r1 =virtual/perl-Text-ParseWords-3.300.0-r1 =virtual/perl-Time-Piece-1.290.0 =virtual/perl-Unicode-Collate-1.120.0 =virtual/perl-Unicode-Normalize-1.180.0 =virtual/perl-XSLoader-0.200.0 =virtual/perl-autodie-2.260.0 =virtual/perl-bignum-0.390.0 =virtual/perl-if-0.60.400 =virtual/perl-libnet-3.50.0 =virtual/perl-parent-0.232.0 =virtual/perl-threads-2.10.0 =virtual/perl-threads-shared-1.480.0
!!! All ebuilds that could satisfy "~perl-core/Test-Simple-1.1.14" have been masked. !!! One of the following masked packages is required to complete your request: - perl-core/Test-Simple-1.1.14-r1::gentoo (masked by: package.mask) (dependency required by "virtual/perl-Test-Simple-1.1.14-r2::gentoo" [ebuild]) (dependency required by "dev-perl/Test-Tester-0.114.0::gentoo" [installed]) (dependency required by "dev-perl/Test-NoWarnings-1.40.0-r2::gentoo" [installed]) (dependency required by "dev-perl/Net-SSLeay-1.720.0-r1::gentoo[test,-minimal]" [installed]) (dependency required by "dev-perl/IO-Socket-SSL-2.24.0::gentoo" [installed]) (dependency required by "dev-perl/Net-HTTP-6.90.0::gentoo[-minimal]" [installed]) (dependency required by "dev-perl/libwww-perl-6.150.0::gentoo" [installed]) (dependency required by "x11-misc/xscreensaver-5.35::gentoo[perl]" [installed]) (dependency required by "@selected" [set]) (dependency required by "@world" [argument]) For more information, see the MASKED PACKAGES section in the emerge man page or refer to the Gentoo Handbook. Is this an oversight or am I doing it wrong?
It really does look like dev-perl/Test-Tester needs to be bumped.
> Depends on: 584238 Stabilization can't wait on this bug, because that bug needs stabilization to happen to finish the changes it needs. ( Because it needs perl to be stable in order to provide Test::Tester via perl instead of via perl-core/ )
This is a security bug.
(In reply to Jeroen Roovers from comment #13) > This is a security bug. Hah, someone realized! Cool! :) However, no need for hastyness right now. (Ho hum.) Perl 5.22.3 will come out really soon (in 2-3 weeks? it is at RC3 now), will fix a new set of more serious CVEs, and its stable request will supercede this bug here.
amd64 stable
x86 stable
sparc stable
ppc64 stable
ppc stable
ia64 stable
@ HPPA AT: *ping* - You are the last one...
(In reply to Thomas Deutschmann from comment #21) > @ HPPA AT: *ping* - You are the last one... Please continue in bug 589680, where a newer version is stabilized.
I found the following CVEs between perl-5.20.2 and perl-5.22.2: CVE-2015-8607 The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string. CVE-2015-8608 (doesn't apply, Windows only) VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads CVE-2016-2381 Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp. CVE-2014-4330 (already handled in bug 523624) The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.
Added to an existing GLSA request.
Removing CVE-2016-2381, not fixed in this version.
Looks like I was checking the wrong changelogs, CVE-2015-8607 isn't fixed in <=5.22.2. Bug removed from GLSA request because currently no vulnerability is assigned to this bug. (In reply to Andreas K. Hüttel from comment #14) > (In reply to Jeroen Roovers from comment #13) > > This is a security bug. > > Hah, someone realized! Cool! :) > > However, no need for hastyness right now. (Ho hum.) > > Perl 5.22.3 will come out really soon (in 2-3 weeks? it is at RC3 now), will > fix a new set of more serious CVEs, and its stable request will supercede > this bug here. Please help. We currently only have CVE-2015-8853 (but tracked in bug 580612) for <perl-5.22.2.
(In reply to Thomas Deutschmann from comment #26) > Looks like I was checking the wrong changelogs, CVE-2015-8607 isn't fixed in > <=5.22.2. > 2015-8607 re: File::Spec taint-preservation sec is fixed a long time ago. It was fixed in 796b9b6266671fdab40a84d7a8bcbd43106b160b which is a child of 5.22.2 git tag --contains 796b9b6266671fdab40a84d7a8bcbd43106b160b gentoo-5.22.3-RC4-patches-2 v5.22.2 v5.22.2-RC1 v5.22.3 v5.22.3-RC1 v5.22.3-RC2 v5.22.3-RC3 v5.22.3-RC4 v5.22.3-RC5 So please close this bug whenever you're ready Sec team. <=5.22.2 is gone \o/