"Moderately timely" vulnerability notifications
by Troy Topnik

Troy Topnik, December 1, 2009

Secunia reported a "moderately critical" vulnerability in ActivePerl today. It alarmed us until we noticed that they were citing an old ActivePerl release announcement.

For the record, this "new" Secunia security advisory applies to older versions of ActivePerl (build 1004 and previous in the 5.10 branch and build 825 and previous in the 5.8 branch). Secunia reported on the same vulnerability in other Perl distributions back in June and August.

The the updates to Compress::Raw::Zlib and Compress::Raw::Bzip2 were included in ActivePerl and (Compress::Raw::Bzip2 was not bundled with prior builds). This was released in May, before Vulnerability Summary CVE-2009-1391 was first published by US-CERT/NIST, and long before any known exploits had been reported in the wild. In fact, Compress::Raw::Zlib 2.019 and Compress::Raw::Bzip2 2.019 (which do not have the problem) have been available via ActivePerl's PPM package manager since May 7 2009.

If you are running a version of ActivePerl older than those mentioned above, you can upgrade to the latest version, or just update these modules using PPM. You can do this at the command line with:

ppm update Compress-Raw-Zlib


ppm update Compress-Raw-Bzip2

PPM upgradable packages
In fact, PPM has a really handy way to check for module updates. Launch the GUI for ppm by running 'ppm' without any arguments, double clicking on the application, or choosing it from the Start menu (Windows). Click the "View upgradeable packages" button and voila: PPM shows you all the modules in your installation for which there are upgrades available. For those on the command-line, ppm update will do the same thing.

Though it's never fun to find a vulnerability in your code, we're proud of how quickly we address them when they do turn up.

Subscribe to ActiveState Blogs by Email

Share this post:

Category: announcements
About the Author: RSS

As ActiveState's Technical Product Manager for Stackato, Troy Topnik is responsible for defining and prioritizing the product roadmap to build the best cloud platform for deploying applications. Since joining ActiveState in 2001, he has held roles in Technical Support, Training, and Technical Writing. He believes in documentation-driven development as a pragmatic path to a better user experience.


2 comments for "Moderately timely" vulnerability notifications

Is there a way to select multiple items and highlight them instead of one at a time updates in the gui?


Yes, though you don't actually highlight them. Mark each item for upgrade by clicking "+" when it's selected. Once you've marked all the ones you want, then click "Run marked actions" (Ctrl+Enter) and it will perform all of the upgrades in a batch.