ActiveBlog

"Moderately timely" vulnerability notifications
by Troy Topnik

Troy Topnik, December 1, 2009

Secunia reported a "moderately critical" vulnerability in ActivePerl today. It alarmed us until we noticed that they were citing an old ActivePerl 5.10.1.1006 release announcement.

For the record, this "new" Secunia security advisory applies to older versions of ActivePerl (build 1004 and previous in the 5.10 branch and build 825 and previous in the 5.8 branch). Secunia reported on the same vulnerability in other Perl distributions back in June and August.

The the updates to Compress::Raw::Zlib and Compress::Raw::Bzip2 were included in ActivePerl 5.8.9.826 and 5.10.0.1005 (Compress::Raw::Bzip2 was not bundled with prior builds). This was released in May, before Vulnerability Summary CVE-2009-1391 was first published by US-CERT/NIST, and long before any known exploits had been reported in the wild. In fact, Compress::Raw::Zlib 2.019 and Compress::Raw::Bzip2 2.019 (which do not have the problem) have been available via ActivePerl's PPM package manager since May 7 2009.

If you are running a version of ActivePerl older than those mentioned above, you can upgrade to the latest version, or just update these modules using PPM. You can do this at the command line with:

ppm update Compress-Raw-Zlib

...and:

ppm update Compress-Raw-Bzip2

PPM upgradable packages
In fact, PPM has a really handy way to check for module updates. Launch the GUI for ppm by running 'ppm' without any arguments, double clicking on the application, or choosing it from the Start menu (Windows). Click the "View upgradeable packages" button and voila: PPM shows you all the modules in your installation for which there are upgrades available. For those on the command-line, ppm update will do the same thing.

Though it's never fun to find a vulnerability in your code, we're proud of how quickly we address them when they do turn up.

Subscribe to ActiveState Blogs by Email

Share this post:

Category: announcements
About the Author: RSS

Troy Topnik is ActiveState's technical writer. After joining ActiveState in 2001 as a "Customer Relationship Representative" (AKA Tech Support), Troy went on to lead the PureMessage Enterprise Support team before moving on to a technical writing role in 2004. His talent for describing software for new users stems from his difficulty understanding things that developers find obvious. He has a Bachelor of Music from the University of Victoria.

Comments

2 comments for "Moderately timely" vulnerability notifications
Permalink

Is there a way to select multiple items and highlight them instead of one at a time updates in the gui?

Permalink

Yes, though you don't actually highlight them. Mark each item for upgrade by clicking "+" when it's selected. Once you've marked all the ones you want, then click "Run marked actions" (Ctrl+Enter) and it will perform all of the upgrades in a batch.