"Moderately timely" vulnerability notifications

Secunia reported a "moderately critical" vulnerability in ActivePerl today. It alarmed us until we noticed that they were citing an old ActivePerl release announcement.

For the record, this "new" Secunia security advisory applies to older versions of ActivePerl (build 1004 and previous in the 5.10 branch and build 825 and previous in the 5.8 branch). Secunia reported on the same vulnerability in other Perl distributions back in June and August.

The the updates to Compress::Raw::Zlib and Compress::Raw::Bzip2 were included in ActivePerl and (Compress::Raw::Bzip2 was not bundled with prior builds). This was released in May, before Vulnerability Summary CVE-2009-1391 was first published by US-CERT/NIST, and long before any known exploits had been reported in the wild. In fact, Compress::Raw::Zlib 2.019 and Compress::Raw::Bzip2 2.019 (which do not have the problem) have been available via ActivePerl's PPM package manager since May 7 2009.

If you are running a version of ActivePerl older than those mentioned above, you can upgrade to the latest version, or just update these modules using PPM. You can do this at the command line with:

ppm update Compress-Raw-Zlib


ppm update Compress-Raw-Bzip2

In fact, PPM has a really handy way to check for module updates. Launch the GUI for ppm by running 'ppm' without any arguments, double clicking on the application, or choosing it from the Start menu (Windows). Click the "View upgradeable packages" button and voila: PPM shows you all the modules in your installation for which there are upgrades available. For those on the command-line, ppm update will do the same thing.

Though it's never fun to find a vulnerability in your code, we're proud of how quickly we address them when they do turn up.