4.141. perl

Updated perl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Perl is a high-level programming language commonly used for system administration utilities and web programming.

Security Fixes

CVE-2011-3597
It was found that the "new" constructor of the Digest module used its argument as part of the string expression passed to the eval() function. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl program that uses untrusted input as an argument to the constructor.
CVE-2010-2761
It was found that the Perl CGI module used a hard-coded value for the MIME boundary string in multipart/x-mixed-replace content. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.
CVE-2010-4410
A CRLF injection flaw was found in the way the Perl CGI module processed a sequence of non-whitespace preceded by newline characters in the header. A remote attacker could use this flaw to conduct an HTTP response splitting attack via a specially-crafted sequence of characters provided to the CGI module.
All Perl users should upgrade to these updated packages, which contain backported patches to correct these issues. All running Perl programs must be restarted for this update to take effect.
Updated perl packages that fix several bugs are now available for Red Hat Enterprise Linux 5.
Perl is a high-level programming language commonly used for system administration utilities and web programming.

Bug Fixes

BZ#548249
Due to an error in the threads module, memory was leaked each time a thread was detached. Over time, this could cause long-running threaded Perl programs to consume a significant amount of memory. With this update, a patch has been applied to ensure the allocated memory is properly freed when a thread is detached, and using threads in Perl applications no longer causes memory leaks.
BZ#523827
If the "-default" parameter contained a plus sign ("+"), the CGI::popup_menu() method failed to generate valid HTML code and the closing tag of a paired tag was sometimes missing. The regular expression that contributes the HTML code in such scenarios has been fixed and the closing tag is now always present.
BZ#537777
Previously, joining or undefining a thread variable in a Perl script resulted in the following error message: "Attempt to free unreferenced scalar: SV 0x7b7dcb0, Perl interpreter: 0x7b4cfb0 during global destruction." A backported upstream patch has been provided and the internal error is no longer returned in the described scenario.
BZ#590644
Previously, the CGI::popup_menu() method generated invalid HTML code; a space character was sometimes missing between two attributes of a tag. With this update, the regular expression responsible for generating such code has been fixed and the space characters are now properly generated in the described scenario.
BZ#675863
When threads were being rapidly created and detached on a multi-processor system with Perl, a variety of unexpected terminations occurred as a result. With this update, the threads module has been updated to version 1.79 and the crashes no longer occur.
BZ#593752
Previously, the NDBM_File module was missing in Perl packages and Perl could not provide support for NDBM files. With this update, NDBM_File has been added back to the Perl RPM packages.
BZ#676050
Previously, string evaluation in Perl threads sometimes resulted in an unexpected termination of the process. To partially fix this bug, handling of these strings has been moved to non-threaded variables. The update of the threads module to version 1.79 also contributed to the fix of this bug. Now, the crashes no longer occur in the described scenario.
BZ#621542
Due to a missing definition in Unicode table 4.0, Perl did not recognize the small letter Palochka (U+04cf). With this update, the Unicode table has been updated to version 5.0.1 and Palochka letters are now supported in Perl.
BZ#625746
When two nested loops were using the same iterator, the interpreter tried to double-free the iterator, resulting in a warning. Moreover, referring such an iterator caused the "Attempt to free unreferenced scalar" run-time error message to be returned. A backported patch from Perl 5.10.1 has been applied to handle shared iterators properly and no warnings or error messages are now returned in the described scenario.
BZ#676547
Previously, the value of a variable used for string evaluation was too small. Consequently, a large number of string evaluations made the interpreter return syntax error messages. Now, the variable for storing strings is using a bigger value and the error messages are no longer returned in the described scenario.
Users of perl are advised to upgrade to these updated packages, which fix these bugs.