Is there a list of CERT advisories keyed to fixed Perl versions?

Is there a list of CERT advisories for Perl and the corresponding version in which p5p fixed them? I know that they have responded to almost all of the serious advisories with the patched versions for even the "unmaintained" versions.

I was wondering about that last week as I was reviewing a code base that runs on v5.8, a common situation for companies with big Perl applications that have been around for awhile. I'd like to have some chart that shows which vulnerabilities you have based on your Perl version.

I figure someone might have this somewhere, so I haven't done the work to make the list myself.

Curiously, I found that CERT has Perl programming standards. Now I'd like a Perl::Critic plugin that checks all the CERT things. I think that would be a good candidate for a TPF grant, actually.

Who's invented the day extender so I can get twice the time each day to do all the things I want? :)


Some of those CERT recommendations do list Perl::Critic modules under "Automated Detection." (This one, for example.) It would be pretty awesome to have a single policy bundle for all those recommendations, though.

I'm feeling an itch in my coding fingers...

It would be trivial to create a theme includes all the existing Perl::Critic policies that fall under the CERT guidelines. See

Patches welcome.


Another thing to consider would be for Perl::Critic (or cpan, etc) to trigger an alert when vulnerable CPAN modules are used.

The Java community has recently attempted to tackle this problem i.e. and,redhat-project-fights-java-vulnerabilities.aspx

Leave a comment

About brian d foy

user-pic I'm the author of Mastering Perl, and the co-author of Learning Perl (6th Edition), Intermediate Perl, Programming Perl (4th Edition) and Effective Perl Programming (2nd Edition).