From owner-freebsd-perl@freebsd.org Sun May 28 21:00:01 2017 Return-Path: Delivered-To: freebsd-perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B80DED86E52 for ; Sun, 28 May 2017 21:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id A8FCB173B for ; Sun, 28 May 2017 21:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id A5614D86E51; Sun, 28 May 2017 21:00:01 +0000 (UTC) Delivered-To: perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A5035D86E50 for ; Sun, 28 May 2017 21:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 829A21739 for ; Sun, 28 May 2017 21:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v4SL012l035962 for ; Sun, 28 May 2017 21:00:01 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201705282100.v4SL012l035962@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: perl@FreeBSD.org Subject: Problem reports for perl@FreeBSD.org that need special attention Date: Sun, 28 May 2017 21:00:01 +0000 X-BeenThere: freebsd-perl@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: maintainer of a number of perl-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 May 2017 21:00:01 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- New | 218946 | lang/perl5.24 - remote DoS via CPU exhaustion by 1 problems total for which you should take action. From owner-freebsd-perl@freebsd.org Thu Jun 1 00:09:26 2017 Return-Path: Delivered-To: freebsd-perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BEB8BEDA74 for ; Thu, 1 Jun 2017 00:09:26 +0000 (UTC) (envelope-from jkeenan@pobox.com) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 3DFFF72064 for ; Thu, 1 Jun 2017 00:09:26 +0000 (UTC) (envelope-from jkeenan@pobox.com) Received: by mailman.ysv.freebsd.org (Postfix) id 3A4E4BEDA73; Thu, 1 Jun 2017 00:09:26 +0000 (UTC) Delivered-To: perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39E84BEDA72 for ; Thu, 1 Jun 2017 00:09:26 +0000 (UTC) (envelope-from jkeenan@pobox.com) Received: from sasl.smtp.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 10A7F72063 for ; Thu, 1 Jun 2017 00:09:25 +0000 (UTC) (envelope-from jkeenan@pobox.com) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 4F38A73A71 for ; Wed, 31 May 2017 20:04:52 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=to:from :subject:message-id:date:mime-version:content-type :content-transfer-encoding; s=sasl; bh=6g72tp8RQO3eYkFUti05oYw8n Xk=; b=cH3U2YuE9Z+4N1gCSZTbKpQagXavCl0lKc2E7ySrR20zVnCiGEFzOAZqu iFZa2rz3ETcpg9CMAowTaEl1NFSPnB9PFTW35SkiusQn5ww/XqoxENbn8I5Amz4s cVmYWT+wjCniaffAd3nj8dJem/2lAX03jfte++wxvmYlM3CFQc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=to:from:subject :message-id:date:mime-version:content-type :content-transfer-encoding; q=dns; s=sasl; b=nlzJqvQIlHxylqAAQEt iQLjtBvXOr0br2I5AEgMz6TmjCSKGF4qsGKfaTYm73nRd1iXIx17drHM0JaHfWiM brSFooTmOH5Xyqhr6LpLIqmAmlHl6fd28pnFkmKm0rMl0C8jJx1lQtJbzditFH7U Q6Ppr51vbEJdL/B2Hi6mf/CM= Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 4849673A70 for ; Wed, 31 May 2017 20:04:52 -0400 (EDT) Received: from [192.168.1.44] (unknown [71.246.114.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id BA51573A6F for ; Wed, 31 May 2017 20:04:51 -0400 (EDT) To: perl@freebsd.org From: James E Keenan Subject: Perl extension File-Path: vulnerability in two functions: CVE-2017-6512 Message-ID: Date: Wed, 31 May 2017 20:04:51 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: EF41AAE2-465D-11E7-AF00-61520C78B957-57062903!pb-smtp2.pobox.com X-BeenThere: freebsd-perl@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: maintainer of a number of perl-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jun 2017 00:09:26 -0000 A vulnerability has been reported in Perl extension File-Path (http://search.cpan.org/dist/File-Path/) versions 2.12 and earlier. In the rmtree() and remove_tree() functions, the chmod()logic to make directories traversable can be abused to set the mode on an attacker-chosen file to an attacker-chosen value. This is due to the time-of-check-to-time-of-use (TOCTTOU) race condition (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use) between the stat() that decides the inode is a directory and the chmod() that tries to make it user-rwx. This vulnerability was reported by the cPanel Security Team. It has been assigned the following CVE ID: CVE-2017-6512 CPAN versions 2.13 and later incorporate a patch to address this problem. As File-Path is an extension distributed with the Perl 5 core distribution, you are encouraged to upgrade your Perl package to include File-Path 2.13 or later. For further (public) discussion of this issue I have opened a ticket in the File-Path bug tracker: https://rt.cpan.org/Ticket/Display.html?id=121951 You can contribute to this discussion either through the web interface or by email to bug-File-Path@rt.cpan.org, including the following string in the Subject line: [rt.cpan.org #121951] This is the first time I have had to report a security vulnerability, so I don't claim to fully grasp the protocol for making such a report. If there is a better email address or other way to make this report, please let me know. Thank you very much. James E Keenan CPAN ID: JKEENAN From owner-freebsd-perl@freebsd.org Thu Jun 1 03:29:49 2017 Return-Path: Delivered-To: freebsd-perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A267BF35FB for ; Thu, 1 Jun 2017 03:29:49 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 687207884F for ; Thu, 1 Jun 2017 03:29:49 +0000 (UTC) (envelope-from lists@opsec.eu) Received: by mailman.ysv.freebsd.org (Postfix) id 679DEBF35FA; Thu, 1 Jun 2017 03:29:49 +0000 (UTC) Delivered-To: perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67144BF35F9 for ; Thu, 1 Jun 2017 03:29:49 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 305987884E for ; Thu, 1 Jun 2017 03:29:49 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.89 (FreeBSD)) (envelope-from ) id 1dGGnx-0009LD-I4; Thu, 01 Jun 2017 05:29:45 +0200 Date: Thu, 1 Jun 2017 05:29:45 +0200 From: Kurt Jaeger To: James E Keenan Cc: perl@freebsd.org Subject: Re: Perl extension File-Path: vulnerability in two functions: CVE-2017-6512 Message-ID: <20170601032945.GG43031@home.opsec.eu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: freebsd-perl@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: maintainer of a number of perl-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jun 2017 03:29:49 -0000 Hi! > A vulnerability has been reported in Perl extension File-Path > (http://search.cpan.org/dist/File-Path/) versions 2.12 and earlier. [...] > This is the first time I have had to report a security vulnerability, so > I don't claim to fully grasp the protocol for making such a report. If > there is a better email address or other way to make this report, please > let me know. I've committed an update to 2.13 for the port devel/p5-File-Path. In general, it helps if you submit a problem report via bugs.freebsd.org, to track the issue. -- pi@opsec.eu +49 171 3101372 3 years to go ! From owner-freebsd-perl@freebsd.org Thu Jun 1 09:06:34 2017 Return-Path: Delivered-To: freebsd-perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 963DDBF4DF1 for ; Thu, 1 Jun 2017 09:06:34 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 818D670565 for ; Thu, 1 Jun 2017 09:06:34 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 80E74BF4DEF; Thu, 1 Jun 2017 09:06:34 +0000 (UTC) Delivered-To: perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 809F3BF4DEE for ; Thu, 1 Jun 2017 09:06:34 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: from portscout.ysv.freebsd.org (portscout.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7219970564 for ; Thu, 1 Jun 2017 09:06:34 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: from portscout.ysv.freebsd.org ([127.0.1.123]) by portscout.ysv.freebsd.org (8.15.2/8.15.2) with ESMTP id v5196Ye6069467 for ; Thu, 1 Jun 2017 09:06:34 GMT (envelope-from portscout@FreeBSD.org) Received: (from portscout@localhost) by portscout.ysv.freebsd.org (8.15.2/8.15.2/Submit) id v5196YOd069462; Thu, 1 Jun 2017 09:06:34 GMT (envelope-from portscout@FreeBSD.org) Message-Id: <201706010906.v5196YOd069462@portscout.ysv.freebsd.org> X-Authentication-Warning: portscout.ysv.freebsd.org: portscout set sender to portscout@FreeBSD.org using -f Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 Date: Thu, 1 Jun 2017 09:06:34 +0000 From: portscout@FreeBSD.org To: perl@freebsd.org Subject: FreeBSD ports you maintain which are out of date X-Mailer: portscout/0.8.1 X-BeenThere: freebsd-perl@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: maintainer of a number of perl-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jun 2017 09:06:34 -0000 Dear port maintainer, The portscout new distfile checker has detected that one or more of your ports appears to be out of date. Please take the opportunity to check each of the ports listed below, and if possible and appropriate, submit/commit an update. If any ports have already been updated, you can safely ignore the entry. You will not be e-mailed again for any of the port/version combinations below. Full details can be found at the following URL: http://portscout.freebsd.org/perl@freebsd.org.html Port | Current version | New version ------------------------------------------------+-----------------+------------ devel/p5-MooseX-AttributeShortcuts | 0.029 | 0.031 ------------------------------------------------+-----------------+------------ If any of the above results are invalid, please check the following page for details on how to improve portscout's detection and selection of distfiles on a per-port basis: http://portscout.freebsd.org/info/portscout-portconfig.txt Thanks. From owner-freebsd-perl@freebsd.org Fri Jun 2 09:57:14 2017 Return-Path: Delivered-To: freebsd-perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3EE30BF3A9D for ; Fri, 2 Jun 2017 09:57:14 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 27713819D3 for ; Fri, 2 Jun 2017 09:57:14 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 24062BF3A9C; Fri, 2 Jun 2017 09:57:14 +0000 (UTC) Delivered-To: perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23AC4BF3A9B for ; Fri, 2 Jun 2017 09:57:14 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: from portscout.ysv.freebsd.org (portscout.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 15B43819D1 for ; Fri, 2 Jun 2017 09:57:14 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: from portscout.ysv.freebsd.org ([127.0.1.123]) by portscout.ysv.freebsd.org (8.15.2/8.15.2) with ESMTP id v529vDdk067292 for ; Fri, 2 Jun 2017 09:57:13 GMT (envelope-from portscout@FreeBSD.org) Received: (from portscout@localhost) by portscout.ysv.freebsd.org (8.15.2/8.15.2/Submit) id v529vDdw067291; Fri, 2 Jun 2017 09:57:13 GMT (envelope-from portscout@FreeBSD.org) Message-Id: <201706020957.v529vDdw067291@portscout.ysv.freebsd.org> X-Authentication-Warning: portscout.ysv.freebsd.org: portscout set sender to portscout@FreeBSD.org using -f Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 Date: Fri, 2 Jun 2017 09:57:13 +0000 From: portscout@FreeBSD.org To: perl@freebsd.org Subject: FreeBSD ports you maintain which are out of date X-Mailer: portscout/0.8.1 X-BeenThere: freebsd-perl@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: maintainer of a number of perl-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2017 09:57:14 -0000 Dear port maintainer, The portscout new distfile checker has detected that one or more of your ports appears to be out of date. Please take the opportunity to check each of the ports listed below, and if possible and appropriate, submit/commit an update. If any ports have already been updated, you can safely ignore the entry. You will not be e-mailed again for any of the port/version combinations below. Full details can be found at the following URL: http://portscout.freebsd.org/perl@freebsd.org.html Port | Current version | New version ------------------------------------------------+-----------------+------------ security/p5-Crypt-OpenSSL-EC | 1.3 | 1.31 ------------------------------------------------+-----------------+------------ If any of the above results are invalid, please check the following page for details on how to improve portscout's detection and selection of distfiles on a per-port basis: http://portscout.freebsd.org/info/portscout-portconfig.txt Thanks. From owner-freebsd-perl@freebsd.org Sat Jun 3 08:31:43 2017 Return-Path: Delivered-To: freebsd-perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3960BD3491 for ; Sat, 3 Jun 2017 08:31:43 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 9F23A64658 for ; Sat, 3 Jun 2017 08:31:43 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 9E764BD3490; Sat, 3 Jun 2017 08:31:43 +0000 (UTC) Delivered-To: perl@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9DEC7BD348F for ; Sat, 3 Jun 2017 08:31:43 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: from portscout.ysv.freebsd.org (portscout.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8917B64657 for ; Sat, 3 Jun 2017 08:31:43 +0000 (UTC) (envelope-from portscout@FreeBSD.org) Received: from portscout.ysv.freebsd.org ([127.0.1.123]) by portscout.ysv.freebsd.org (8.15.2/8.15.2) with ESMTP id v538Vh7o051621 for ; Sat, 3 Jun 2017 08:31:43 GMT (envelope-from portscout@FreeBSD.org) Received: (from portscout@localhost) by portscout.ysv.freebsd.org (8.15.2/8.15.2/Submit) id v538Vh6V051620; Sat, 3 Jun 2017 08:31:43 GMT (envelope-from portscout@FreeBSD.org) Message-Id: <201706030831.v538Vh6V051620@portscout.ysv.freebsd.org> X-Authentication-Warning: portscout.ysv.freebsd.org: portscout set sender to portscout@FreeBSD.org using -f Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 Date: Sat, 3 Jun 2017 08:31:43 +0000 From: portscout@FreeBSD.org To: perl@freebsd.org Subject: FreeBSD ports you maintain which are out of date X-Mailer: portscout/0.8.1 X-BeenThere: freebsd-perl@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: maintainer of a number of perl-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jun 2017 08:31:43 -0000 Dear port maintainer, The portscout new distfile checker has detected that one or more of your ports appears to be out of date. Please take the opportunity to check each of the ports listed below, and if possible and appropriate, submit/commit an update. If any ports have already been updated, you can safely ignore the entry. You will not be e-mailed again for any of the port/version combinations below. Full details can be found at the following URL: http://portscout.freebsd.org/perl@freebsd.org.html Port | Current version | New version ------------------------------------------------+-----------------+------------ textproc/p5-XML-DOM-Lite | 0.15 | 0.16 ------------------------------------------------+-----------------+------------ If any of the above results are invalid, please check the following page for details on how to improve portscout's detection and selection of distfiles on a per-port basis: http://portscout.freebsd.org/info/portscout-portconfig.txt Thanks.