Public bug reported:

A new release of perl is available for merging from Debian.

Ubuntu Proposed: 5.40.1-8ubuntu1
Debian Experimental: 5.42.2-2
Debian Unstable: 5.40.1-8

### New Debian Changes ###

perl (5.42.2-2) experimental; urgency=medium

  * [SECURITY] backport various fixes from upstream:
    + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
        (Closes: #1138863)
    + CVE-2026-7010:  CRLF-validation in HTTP::Tiny.
        (Closes: #1138858)
    + CVE-2026-8376:  Buffer overflow in Perl_study_chunk.
        (Closes: #1137345)
    + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
        (Closes: #1138856)
    + CVE-2026-48961: crash in zipdetails.
        (Closes: #1138855)
    + CVE-2026-48962: code execution in IO-Compress via output globs.
        (Closes: #1138854)
    + buffer overflows in pack().
        (Closes: #1138905)
    + buffer overflow in Storable.
        (Closes: #1138906)

 -- Niko Tyni <[email protected]>  Sat, 06 Jun 2026 18:02:30 +0300

perl (5.42.2-1) experimental; urgency=medium

  * Update to new upstream version 5.42.2.

 -- Niko Tyni <[email protected]>  Fri, 24 Apr 2026 22:39:00 +0300

perl (5.42.0-3) experimental; urgency=medium

  [ Helmut Grohne ]
  * Add libcrypt-dev to libperl-dev's Depends. (Closes: #1102978)

 -- Niko Tyni <[email protected]>  Mon, 17 Nov 2025 21:03:18 +0200

perl (5.42.0-2) experimental; urgency=medium

  * Reinstate Provides: libtest2-suite-perl. (See #1080359)
  * Refresh cross build support files for most architectures.
  * Update lintian overrides for 5.42.

 -- Niko Tyni <[email protected]>  Sun, 24 Aug 2025 11:55:37 +0300

perl (5.42.0-1) experimental; urgency=medium

  * Update to new upstream version 5.42.0.

 -- Niko Tyni <[email protected]>  Sat, 16 Aug 2025 18:44:35 +0300


### Old Ubuntu Delta ###

perl (5.40.1-8ubuntu1) stonking; urgency=medium

  * SECURITY UPDATE: directory traversal vulnerability
    - debian/patches/CVE-2026-42496.patch: validate symlink and hardlink
      linkname in Archive::Tar secure extract mode to prevent extraction
      outside the target directory
    - CVE-2026-42496

 -- Chrisa Oikonomou <[email protected]>  Thu, 02 Jul 2026
13:14:46 +0300

perl (5.40.1-8) unstable; urgency=medium

  * [SECURITY] backport various fixes from upstream:
    + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.
        (Closes: #1138863)
    + CVE-2026-7010:  CRLF-validation in HTTP::Tiny.
        (Closes: #1138858)
    + CVE-2026-8376:  Buffer overflow in Perl_study_chunk.
        (Closes: #1137345)
    + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.
        (Closes: #1138856)
    + CVE-2026-48961: crash in zipdetails.
        (Closes: #1138855)
    + CVE-2026-48962: code execution in IO-Compress via output globs.
        (Closes: #1138854)
    + buffer overflows in pack().
        (Closes: #1138905)
    + buffer overflow in Storable.
        (Closes: #1138906)

 -- Niko Tyni <[email protected]>  Sat, 06 Jun 2026 17:22:29 +0300

perl (5.40.1-7) unstable; urgency=medium

  [ Helmut Grohne ]
  * Add libcrypt-dev to libperl-dev's Depends. (Closes: #1102978)

 -- Niko Tyni <[email protected]>  Sun, 16 Nov 2025 22:01:11 +0200

** Affects: perl (Ubuntu)
     Importance: Wishlist
         Status: New


** Tags: dcr-merge

** Changed in: perl (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: perl (Ubuntu)
    Milestone: None => ubuntu-26.05

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2160262

Title:
  Merge perl 5.42.2-2 from Debian for stonking cycle

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2160262/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to