-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3501-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 01, 2016 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : perl CVE ID : CVE-2016-2381 Stephane Chazelas discovered a bug in the environment handling in Perl. Perl provides a Perl-space hash variable, %ENV, in which environment variables can be looked up. If a variable appears twice in envp, only the last value would appear in %ENV, but getenv would return the first. Perl's taint security mechanism would be applied to the value in %ENV, but not to the other rest of the environment. This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking. With this update Perl changes the behavior to match the following: a) %ENV is populated with the first environment variable, as getenv would return. b) Duplicate environment entries are removed. For the oldstable distribution (wheezy), this problem has been fixed in version 5.14.2-21+deb7u3. For the stable distribution (jessie), this problem has been fixed in version 5.20.2-3+deb8u4. For the unstable distribution (sid), this problem will be fixed in version 5.22.1-8. We recommend that you upgrade your perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJW1bTDAAoJEAVMuPMTQ89En28P/3uLGpzAppXhj4Hik/2lG/Tl +UspDr3Dyl2CSeKmLK/iPexhp66R2fTu3FX0QWvNznYlVe9goQpWAK1fMpFitagO LL3dJgal0dy+pHLmUkqIr1IllEdMoW69Wk0/a6n8Ko0upG7Bjb5BthRtC6EfLdW6 xYND4pzAPENxBmWsgMv1E2gP2FZesPZAmnNM7DjKmOe7uSF5gw3hplZ2Mufkj4oI HIzG248UyhNkCOkYw2uzI8vpeEktzsAnkNgQQzfBtI9aW+4uL8c9JYHztkYUuzWP wqZygN4aIvS8IzlDqQ40jQSqqHM97StAfTJ7vIP6bK8uMTD9tccYCEN0j1OCiTHS e5h3ZbYhdTgWGHDfwZHkmQcfkhAOXjkNu8gxvf4XrXaSXInJwXCtOC9V3It/PrAs gpKug9vC2qhTgNIOqX2JqayoVIH2rtPTfsoYDnl7GKyFs0GsWhrr6h1DR+xTxA8x INrL7MbgF2ydqNnqmp7YAdJAc8c3H8YrW/ERiuW4r/YvD/pUwqbJaF6NFUIqB3v0 o+24ymPgqGQrK08oopNwkgByQs5JvkcOLZKUpos0puwJTZ4f492WFgwFQQOo+V3j pFqcNE9d4LswV+Dymbi8//hpkiT+qL6+N4uTULx5pCUO0KzQD4L2+9Fg4ReO//NI BhdHUyds14H7iDdAZvC5 =WDZ9 -----END PGP SIGNATURE-----