On Tue, Dec 04, 2018 at 04:26:37PM +0000, Ken Moffat via blfs-support wrote: > > This has now been tested using 5.28.1 as 5.28.0, 5.26.3 as both > 5.26.1 and 5.26.0, and 5.24.4 as 5.24.1. > > The latter was for an old LFS-8.0 system I had lying around. > Unfortunately, 5.24 is EOL and has not been updated for the latest > CVE-18311..4 fixes (but there were several CVE fixes after 5.24.1 > which are in .4). > > For CVE-2018-18311..4 the fixes apply for seveal previous versions. > Debian are using 5.20 on one release, but they had not updated when > I looked. Ubuntu are using 5.22 on a rleease and have backported > these. Unfortunately, not all of their patches applied to 5.24, and > my initial attempt to manually fix them up caused at least one test > to spew out a message which was garbage but recognizable from my > attempt to put a hunk in manually. So, for 5.24 I have not at the > moment fixed the latest vulnerabilities - that system was not being > maintained, so no worries. > Just in case anyone else is still using 5.24 : debian are maintaining 5.24.1 in 'stretch' (their current stable, released June last year). They now have perl_5.24.1-3+deb9u5.debian.tar.xz at https://packages.debian.org/stretch/perl (the site was unresponsive when I last tried it a few days ago, but I managed to get the downloada few minuites ago. All their patches on top of 5.24.1 are in debian/patches/fixes/. So as an alternative, for 5.24.1 people could just apply all their CVE patches.
I return you to your normal programme. ĸen -- I'm saving up 22 shillings and 10 pence (almost a pound!) per week to buy an ARM-13. http://www.antipope.org/charlie/blog-static/2018/11/brexit-means-brexit.html -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
