ActiveState is pleased to announce ActivePerl 5.8.9 build 826 and ActivePerl 5.10.0 build 1005, complete, ready-to-install Perl distributions for Windows, Mac OS X, Linux, Solaris, and AIX.
For detailed information or to download these releases, see: http://www.activestate.com/Products/activeperl New in ActivePerl 5.8.9 Build 826 ================================= * The following security vulnerabilities in the Crypt::SSLeay module were addressed in this release by upgrading the OpenSSL libraries to version 0.9.8k: - CVE-2009-0590 (ASN1 printing crash) The function ASN1_STRING_print_ex() when used to print a BMPString or UniversalString will crash with an invalid memory access if the encoded length of the string is illegal. Any OpenSSL application which prints out the contents of a certificate could be affected by this bug, including SSL servers, clients and S/MIME software. - CVE-2009-0789 (Invalid ASN1 clearing check) When a malformed ASN1 structure is received its contents are freed up and zeroed and an error condition returned. On 64-bit Windows this can cause an invalid memory access later resulting in a crash when some invalid structures are read, for example RSA public keys. Any OpenSSL application on 64-bit Windows which uses the public key of an untrusted certificate could be crashed by a malformed structure. Including SSL servers, clients, CA and S/MIME software. - CVE-2008-5077 (Incorrect checks for malformed signatures) Several functions inside OpenSSL incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affected the signature checks on DSA and ECDSA keys used with SSL/TLS. One way to exploit this flaw would be for a remote attacker who is in control of a malicious server or who can use a 'man in the middle' attack to present a malformed SSL/TLS signature from a certificate chain to a vulnerable client, bypassing validation. * PerlEx no longer sets the MOD_PERL environment variable (the change from build 825 has been reverted), as it has undesirable side-effects. * The -p function used to always return a false value on Windows. It now correctly detects if the filehandle argument is a pipe or not. Also the Fcntl::S_IFIFO constant is now defined. * A potential buffer overflow in Perl for ISAPI has been fixed. Whenever Perl for ISAPI wrote an error message to the log file it would potentially write beyond the end of a heap buffer. * All bundled modules have been updated to their latest versions. New in ActivePerl 5.10.0 Build 1005 =================================== The changes in ActivePerl build 1005 are the same as for build 826 with the exception that PerlEx in build 1004 didn't claim to be mod_perl, so this didn't need to be reverted. Latest DBD::mysql binaries for Windows ====================================== In unrelated news, we've also updated the Windows PPM repositories with the latest DBD::mysql binaries for Perl 5.8, 5.10, and 64-bit 5.10. You can install them simply by running ppm install DBD-mysql Getting Started =============== Whether you're a first-time user or a long-time fan, our free resources will help you get the most from ActivePerl. Mailing list archives: http://aspn.activestate.com/ASPN/Mail/Browse/Threaded/ActivePerl Feedback ======== Everyone is encouraged to participate in making Perl an even better language. For bugs related to ActiveState use: http://bugs.activestate.com/enter_bug.cgi?product=ActivePerl&version=826 http://bugs.activestate.com/enter_bug.cgi?product=ActivePerl&version=1005 For bugs related directly to Perl please use the 'perlbug' utility. Enjoy! _______________________________________________ Perl-Win32-Users mailing list Perl-Win32-Users@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs