Is there a list of CERT advisories keyed to fixed Perl versions?

By brian d foy on October 22, 2012 8:07 PM

Is there a list of CERT advisories for Perl and the corresponding version in which p5p fixed them? I know that they have responded to almost all of the serious advisories with the patched versions for even the "unmaintained" versions.

I was wondering about that last week as I was reviewing a code base that runs on v5.8, a common situation for companies with big Perl applications that have been around for awhile. I'd like to have some chart that shows which vulnerabilities you have based on your Perl version.

I figure someone might have this somewhere, so I haven't done the work to make the list myself.

Curiously, I found that CERT has Perl programming standards. Now I'd like a Perl::Critic plugin that checks all the CERT things. I think that would be a good candidate for a TPF grant, actually.

Who's invented the day extender so I can get twice the time each day to do all the things I want? :)

6 comments

6 Comments

garu | October 22, 2012 9:36 PM | Reply

Hi brian! You can search the CVE/NVD for a lot of products, including perl, separated by version.

The link below, for example, should contain the list of known vulnerabilities ever found in perl:

http://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cve_id=&query=&cwe_id=&cpe_product=cpe%3A%2Fa%3Aperl%3Aperl&cpe_version=&pub_date_start_month=-1&pub_date_start_year=-1&pub_date_end_month=-1&pub_date_end_year=-1&mod_date_start_month=-1&mod_date_start_year=-1&mod_date_end_month=-1&mod_date_end_year=-1&cvss_sev_base=&cvss_av=&cvss_ac=&cvss_au=&cvss_c=&cvss_i=&cvss_a=

brian d foy | October 22, 2012 9:55 PM | Reply

Is that the only place where vunlerabilities are reported? 18 results seems really low, and I don't see a Syslog report in there.

Mike Friedman | October 22, 2012 10:35 PM | Reply

Some of those CERT recommendations do list Perl::Critic modules under "Automated Detection." (This one, for example.) It would be pretty awesome to have a single policy bundle for all those recommendations, though.

I'm feeling an itch in my coding fingers...

Toby Inkster | October 22, 2012 10:48 PM | Reply

xkcd: 28 Hour Day

Jeffrey Ryan Thalhammer | October 23, 2012 3:32 AM | Reply

It would be trivial to create a theme includes all the existing Perl::Critic policies that fall under the CERT guidelines. See

http://search.cpan.org/~thaljef/Perl-Critic-1.118/lib/Perl/Critic/DEVELOPER.pod#Themes

Patches welcome.

-Jeff

cmlh | October 29, 2012 5:01 AM | Reply

Another thing to consider would be for Perl::Critic (or cpan, etc) to trigger an alert when vulnerable CPAN modules are used.

The Java community has recently attempted to tackle this problem i.e. https://github.com/jeremylong/DependencyCheck#readme and http://www.scmagazine.com.au/News/320617,redhat-project-fights-java-vulnerabilities.aspx

Name

Email Address

URL

Remember personal info?

Comments (You may use HTML tags for style)

About brian d foy

I'm the author of Mastering Perl, and the co-author of Learning Perl (6th Edition), Intermediate Perl, Programming Perl (4th Edition) and Effective Perl Programming (2nd Edition).

More info »

brian d foy