Security update for perl

Announcement ID:	SUSE-SU-2016:2263-1
Rating:	moderate
References:	bsc#928292 bsc#932894 bsc#967082 bsc#984906 bsc#987887 bsc#988311
Cross-References:	CVE-2015-8853 CVE-2016-1238 CVE-2016-2381 CVE-2016-6185
CVSS scores:	CVE-2016-1238 ( SUSE ): 6.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2016-1238 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-1238 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-2381 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2016-2381 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2016-6185 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-6185 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1

An update that solves four vulnerabilities and has two security fixes can now be installed.

Description:

This update for Perl fixes the following issues:

• CVE-2016-6185: Xsloader looking at a "(eval)" directory. (bsc#988311)
• CVE-2016-1238: Searching current directory for optional modules. (bsc#987887)
• CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc)
• CVE-2016-2381: Environment dup handling bug. (bsc#967082)
• "Insecure dependency in require" error in taint mode. (bsc#984906)
• Memory leak in 'use utf8' handling. (bsc#928292)
• Missing lock prototype to the debugger. (bsc#932894)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP1
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1326=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1326=1
• SUSE Linux Enterprise Server 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1326=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
  • perl-debugsource-5.18.2-11.1
  • perl-5.18.2-11.1
  • perl-base-5.18.2-11.1
  • perl-32bit-5.18.2-11.1
  • perl-base-debuginfo-5.18.2-11.1
  • perl-debuginfo-32bit-5.18.2-11.1
  • perl-debuginfo-5.18.2-11.1
• SUSE Linux Enterprise Desktop 12 SP1 (noarch)
  • perl-doc-5.18.2-11.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • perl-debugsource-5.18.2-11.1
  • perl-5.18.2-11.1
  • perl-base-5.18.2-11.1
  • perl-base-debuginfo-5.18.2-11.1
  • perl-debuginfo-5.18.2-11.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (noarch)
  • perl-doc-5.18.2-11.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
  • perl-32bit-5.18.2-11.1
  • perl-debuginfo-32bit-5.18.2-11.1
• SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
  • perl-debugsource-5.18.2-11.1
  • perl-5.18.2-11.1
  • perl-base-5.18.2-11.1
  • perl-base-debuginfo-5.18.2-11.1
  • perl-debuginfo-5.18.2-11.1
• SUSE Linux Enterprise Server 12 SP1 (noarch)
  • perl-doc-5.18.2-11.1
• SUSE Linux Enterprise Server 12 SP1 (s390x x86_64)
  • perl-32bit-5.18.2-11.1
  • perl-debuginfo-32bit-5.18.2-11.1

References:

• https://www.suse.com/security/cve/CVE-2015-8853.html
• https://www.suse.com/security/cve/CVE-2016-1238.html
• https://www.suse.com/security/cve/CVE-2016-2381.html
• https://www.suse.com/security/cve/CVE-2016-6185.html
• https://bugzilla.suse.com/show_bug.cgi?id=928292
• https://bugzilla.suse.com/show_bug.cgi?id=932894
• https://bugzilla.suse.com/show_bug.cgi?id=967082
• https://bugzilla.suse.com/show_bug.cgi?id=984906
• https://bugzilla.suse.com/show_bug.cgi?id=987887
• https://bugzilla.suse.com/show_bug.cgi?id=988311