Update 2021 – ActiveState’s New Perl Ecosystem
Fifteen years ago, ActiveState introduced our first Perl ecosystem consisting of ActivePerl 5.8 and its package management solution, Perl Package Manager (PPM). Together, they allowed a generation of Perl developers to more easily deploy and manage their installations by allowing them to add dependencies with linked C libraries without requiring a local build environment.
But advances in computing over the past 15 years have meant that our original Perl ecosystem has not aged well. PPM in particular has failed to build more and more dependencies over time until it was finally excluded from our ActivePerl 5.28 release.
So We are pleased to announce that earlier this month, ActiveState introduced a new version of our Perl ecosystem with the release of Perl 5.32, which provides a new way to install, work with and even consume Perl from ActiveState.
You can learn more and download your own version of ActiveState’s new Perl ecosystem for free from our Perl 5.32 page.
Steve Hay, a member of the Perl 5 core team, mentions in the community release announcement that “Perl 5.24.1 represents approximately 8 months of development since Perl 5.24.0 and contains approximately 8,100 lines of changes across 240 files from 18 authors.“ And with that, ActivePerl 5.24.1 becomes our recommended version suitable for production contexts.
However, there is one ongoing security issue that is important to understand.
5.24.1 and 5.22.3 were originally held up so that the Perl 5 Core team could deal with CVE-2016-1238. If you are not already aware, the problem relates to an unsafe module load path (“@INC”) which includes the current directory (“.”). When “perl” wants to load an optional module it will look in the current directory. Under some conditions this vulnerability can lead to arbitrary code execution, for instance when the directory is writable (i.e. /tmp).
After considerable debate and investigation into resolving this issue in a variety of ways, the Perl core team decided to get the other accumulated changes out for public consumption and continue to work on the CVE in the next release. In the 5.24.1 and 5.22.3 releases, a partial set of changes were made such that the core modules and tools no longer search for “.” with optional modules. The rest of the changes needed to fully resolve the CVE were not included at this time as they risk breaking existing applications. A workaround exists as outlined in http://search.cpan.org/~shay/perl/pod/perldelta.pod. The next releases of 5.24.2 and 5.22.4 will contain a final resolution to this issue.
Enjoy the new Perls!