1PERL5283DELTA(1)       Perl Programmers Reference Guide       PERL5283DELTA(1)
2
3
4

NAME

6       perl5283delta - what is new for perl v5.28.3
7

DESCRIPTION

9       This document describes differences between the 5.28.2 release and the
10       5.28.3 release.
11
12       If you are upgrading from an earlier release such as 5.28.1, first read
13       perl5282delta, which describes differences between 5.28.1 and 5.28.2.
14

Security

16   [CVE-2020-10543] Buffer overflow caused by a crafted regular expression
17       A signed "size_t" integer overflow in the storage space calculations
18       for nested regular expression quantifiers could cause a heap buffer
19       overflow in Perl's regular expression compiler that overwrites memory
20       allocated after the regular expression storage space with attacker
21       supplied data.
22
23       The target system needs a sufficient amount of memory to allocate
24       partial expansions of the nested quantifiers prior to the overflow
25       occurring.  This requirement is unlikely to be met on 64-bit systems.
26
27       Discovered by: ManhND of The Tarantula Team, VinCSS (a member of
28       Vingroup).
29
30   [CVE-2020-10878] Integer overflow via malformed bytecode produced by a
31       crafted regular expression
32       Integer overflows in the calculation of offsets between instructions
33       for the regular expression engine could cause corruption of the
34       intermediate language state of a compiled regular expression.  An
35       attacker could abuse this behaviour to insert instructions into the
36       compiled form of a Perl regular expression.
37
38       Discovered by: Hugo van der Sanden and Slaven Rezic.
39
40   [CVE-2020-12723] Buffer overflow caused by a crafted regular expression
41       Recursive calls to "S_study_chunk()" by Perl's regular expression
42       compiler to optimize the intermediate language representation of a
43       regular expression could cause corruption of the intermediate language
44       state of a compiled regular expression.
45
46       Discovered by: Sergey Aleynikov.
47
48   Additional Note
49       An application written in Perl would only be vulnerable to any of the
50       above flaws if it evaluates regular expressions supplied by the
51       attacker.  Evaluating regular expressions in this fashion is known to
52       be dangerous since the regular expression engine does not protect
53       against denial of service attacks in this usage scenario.
54

Incompatible Changes

56       There are no changes intentionally incompatible with Perl 5.28.2.  If
57       any exist, they are bugs, and we request that you submit a report.  See
58       "Reporting Bugs" below.
59

Modules and Pragmata

61   Updated Modules and Pragmata
62       •   Module::CoreList has been upgraded from version 5.20190419 to
63           5.20200601_28.
64

Testing

66       Tests were added and changed to reflect the other additions and changes
67       in this release.
68

Acknowledgements

70       Perl 5.28.3 represents approximately 13 months of development since
71       Perl 5.28.2 and contains approximately 3,100 lines of changes across 48
72       files from 16 authors.
73
74       Excluding auto-generated files, documentation and release tools, there
75       were approximately 1,700 lines of changes to 9 .pm, .t, .c and .h
76       files.
77
78       Perl continues to flourish into its fourth decade thanks to a vibrant
79       community of users and developers.  The following people are known to
80       have contributed the improvements that became Perl 5.28.3:
81
82       Chris 'BinGOs' Williams, Dan Book, Hugo van der Sanden, James E Keenan,
83       John Lightsey, Karen Etheridge, Karl Williamson, Matthew Horsfall, Max
84       Maischein, Nicolas R., Renee Baecker, Sawyer X, Steve Hay, Tom Hukins,
85       Tony Cook, Zak B.  Elep.
86
87       The list above is almost certainly incomplete as it is automatically
88       generated from version control history.  In particular, it does not
89       include the names of the (very much appreciated) contributors who
90       reported issues to the Perl bug tracker.
91
92       Many of the changes included in this version originated in the CPAN
93       modules included in Perl's core.  We're grateful to the entire CPAN
94       community for helping Perl to flourish.
95
96       For a more complete list of all of Perl's historical contributors,
97       please see the AUTHORS file in the Perl source distribution.
98

Reporting Bugs

100       If you find what you think is a bug, you might check the perl bug
101       database at <https://github.com/Perl/perl5/issues>.  There may also be
102       information at <https://www.perl.org/>, the Perl Home Page.
103
104       If you believe you have an unreported bug, please open an issue at
105       <https://github.com/Perl/perl5/issues>.  Be sure to trim your bug down
106       to a tiny but sufficient test case.
107
108       If the bug you are reporting has security implications which make it
109       inappropriate to send to a public issue tracker, then see "SECURITY
110       VULNERABILITY CONTACT INFORMATION" in perlsec for details of how to
111       report the issue.
112

Give Thanks

114       If you wish to thank the Perl 5 Porters for the work we had done in
115       Perl 5, you can do so by running the "perlthanks" program:
116
117           perlthanks
118
119       This will send an email to the Perl 5 Porters list with your show of
120       thanks.
121

SEE ALSO

123       The Changes file for an explanation of how to view exhaustive details
124       on what changed.
125
126       The INSTALL file for how to build Perl.
127
128       The README file for general stuff.
129
130       The Artistic and Copying files for copyright information.
131
132
133
134perl v5.34.1                      2022-03-15                  PERL5283DELTA(1)
Impressum