OpenSSL 1.0.2g was released today, containing fixes for a variety of security vulnerabilities. While we don’t believe these vulnerabilities will impact most people, ActivePerl makes it easy to upgrade any installed SSL modules to the latest version. There are nine modules listed below that we build with OpenSSL. As of today, we have rebuilt all of these modules using version 1.0.2g.
To update on Windows: If you’re using Windows, run the PPM GUI and search for them by name. You may need to first select the toolbar button to view installed packages. For each of these modules you have installed, right-click on it and choose to reinstall. Click the green arrow to the right of the search box to confirm, and that’s it!
PPM command-line tool: If you’d like to use the ppm command-line tool instead, search for modules using
ppm search and reinstall a module with
ppm install --force Net-SSLeay.
For most people, Net-SSLeay will likely be the only one installed, but you should check for the others just in case. The Net-SSLeay module, which handles the low-level details of the SSL protocol, is used by over 100 modules ranging from the classic libwww-perl (LWP) to POE, AnyEvent, and other networking modules that need to communicate securely.
Note that some modules with SSL in their name don’t actually use OpenSSL directly and will not need to be updated. An example of such a module is IO-Socket-SSL. If the module isn’t in the short list above, it won’t need updating. If you know of an OpenSSL-related module that we aren’t currently including in PPM, please let us know.
Updated PPMs are available for ActivePerl 5.14 and later versions. If you are using a version older than this, consider upgrading to the latest release.
Title photo courtesy of Debby Hudson on Unsplash.