ActivePerl 5.24.1 and 5.22.3

ActivePerl 5.24.1 and 5.22.3
Note: While ActivePerl 5.24 and 5.22 are currently still maintained and supported, we highly recommend moving to Perl 5.32, which offers native support for virtual environments, built-in dependency management, and an alternative to PPM that automatically builds and installs far more dependencies. Interested? Let us show you how it works.

Update 2021 – ActiveState’s New Perl Ecosystem

However, there is one ongoing security issue that is important to understand.

5.24.1 and 5.22.3 were originally held up so that the Perl 5 Core team could deal with CVE-2016-1238. If you are not already aware, the problem relates to an unsafe module load path (“@INC”) which includes the current directory (“.”). When “perl” wants to load an optional module it will look in the current directory. Under some conditions this vulnerability can lead to arbitrary code execution, for instance when the directory is writable (i.e. /tmp).

After considerable debate and investigation into resolving this issue in a variety of ways, the Perl core team decided to get the other accumulated changes out for public consumption and continue to work on the CVE in the next release. In the 5.24.1 and 5.22.3 releases, a partial set of changes were made such that the core modules and tools no longer search for “.” with optional modules. The rest of the changes needed to fully resolve the CVE were not included at this time as they risk breaking existing applications. A workaround exists as outlined in http://search.cpan.org/~shay/perl/pod/perldelta.pod. The next releases of 5.24.2 and 5.22.4 will contain a final resolution to this issue.

Enjoy the new Perls!

Download ActivePerl

ActiveState’s New Perl Ecosystem

How to Build Perl without a Compiler

Recent Posts

Tech Debt Best Practices: Minimizing Opportunity Cost & Security Risk

Tech debt is an unavoidable consequence of modern application development, leading to security and performance concerns as older open-source codebases become more vulnerable and outdated. Unfortunately, the opportunity cost of an upgrade often means organizations are left to manage growing risk the best they can. But it doesn’t have to be this way.

Read More
Scroll to Top