Follow @Openwall on Twitter for new release announcements and other news
[<prev] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ra5dq7grenapn6i4u4wjdogxpxaqhqpbhwu3hhj4bovr42pad6@zta4tml47irw>
Date: Sun, 13 Apr 2025 21:32:31 +0200
From: Stig Palmquist <stig@...g.io>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40
 are vulnerable to a heap buffer overflow when transliterating non-ASCII
 bytes

On 2025-04-13 16:47, Solar Designer wrote:
[..]
> As it was mentioned in the advance notification to distros, the issue
> was introduced in:
> 
> https://github.com/Perl/perl5/commit/a311ee08b6781f83a7785f578a26bbc21a7ae457
> 
> which is part of tags v5.33.1 to v5.41.10, so I guess those versions are
> also affected.  The fix commit is effectively a revert of the bug commit.

Hi Alexander,

Thank you for the feedback. We only considered release branches for the
affected versions.

To fix this, the CVE record has been updated to take into account
development versions and release candidates:

      Versions:  from 5.41.0 through 5.41.10
                 from 5.39.0 before 5.40.2-RC1
                 from 5.33.1 before 5.38.4-RC1

Best,
-- 
Stig Palmquist

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.