Public bug reported:
A new release of perl is available for merging from Debian.
Ubuntu Proposed: 5.40.1-8ubuntu1
Debian Experimental: 5.42.2-2
Debian Unstable: 5.40.1-8
### New Debian Changes ###
perl (5.42.2-2) experimental; urgency=medium
* [SECURITY] backport various fixes from upstream:
+ CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
(Closes: #1138863)
+ CVE-2026-7010: CRLF-validation in HTTP::Tiny.
(Closes: #1138858)
+ CVE-2026-8376: Buffer overflow in Perl_study_chunk.
(Closes: #1137345)
+ CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
(Closes: #1138856)
+ CVE-2026-48961: crash in zipdetails.
(Closes: #1138855)
+ CVE-2026-48962: code execution in IO-Compress via output globs.
(Closes: #1138854)
+ buffer overflows in pack().
(Closes: #1138905)
+ buffer overflow in Storable.
(Closes: #1138906)
-- Niko Tyni <[email protected]> Sat, 06 Jun 2026 18:02:30 +0300
perl (5.42.2-1) experimental; urgency=medium
* Update to new upstream version 5.42.2.
-- Niko Tyni <[email protected]> Fri, 24 Apr 2026 22:39:00 +0300
perl (5.42.0-3) experimental; urgency=medium
[ Helmut Grohne ]
* Add libcrypt-dev to libperl-dev's Depends. (Closes: #1102978)
-- Niko Tyni <[email protected]> Mon, 17 Nov 2025 21:03:18 +0200
perl (5.42.0-2) experimental; urgency=medium
* Reinstate Provides: libtest2-suite-perl. (See #1080359)
* Refresh cross build support files for most architectures.
* Update lintian overrides for 5.42.
-- Niko Tyni <[email protected]> Sun, 24 Aug 2025 11:55:37 +0300
perl (5.42.0-1) experimental; urgency=medium
* Update to new upstream version 5.42.0.
-- Niko Tyni <[email protected]> Sat, 16 Aug 2025 18:44:35 +0300
### Old Ubuntu Delta ###
perl (5.40.1-8ubuntu1) stonking; urgency=medium
* SECURITY UPDATE: directory traversal vulnerability
- debian/patches/CVE-2026-42496.patch: validate symlink and hardlink
linkname in Archive::Tar secure extract mode to prevent extraction
outside the target directory
- CVE-2026-42496
-- Chrisa Oikonomou <[email protected]> Thu, 02 Jul 2026
13:14:46 +0300
perl (5.40.1-8) unstable; urgency=medium
* [SECURITY] backport various fixes from upstream:
+ CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
(Closes: #1138863)
+ CVE-2026-7010: CRLF-validation in HTTP::Tiny.
(Closes: #1138858)
+ CVE-2026-8376: Buffer overflow in Perl_study_chunk.
(Closes: #1137345)
+ CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
(Closes: #1138856)
+ CVE-2026-48961: crash in zipdetails.
(Closes: #1138855)
+ CVE-2026-48962: code execution in IO-Compress via output globs.
(Closes: #1138854)
+ buffer overflows in pack().
(Closes: #1138905)
+ buffer overflow in Storable.
(Closes: #1138906)
-- Niko Tyni <[email protected]> Sat, 06 Jun 2026 17:22:29 +0300
perl (5.40.1-7) unstable; urgency=medium
[ Helmut Grohne ]
* Add libcrypt-dev to libperl-dev's Depends. (Closes: #1102978)
-- Niko Tyni <[email protected]> Sun, 16 Nov 2025 22:01:11 +0200
** Affects: perl (Ubuntu)
Importance: Wishlist
Status: New
** Tags: dcr-merge
** Changed in: perl (Ubuntu)
Importance: Undecided => Wishlist
** Changed in: perl (Ubuntu)
Milestone: None => ubuntu-26.05
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2160262
Title:
Merge perl 5.42.2-2 from Debian for stonking cycle
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2160262/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs