| 1 | =head1 NAME
|
|---|
| 2 |
|
|---|
| 3 | perl570delta - what's new for perl v5.7.0
|
|---|
| 4 |
|
|---|
| 5 | =head1 DESCRIPTION
|
|---|
| 6 |
|
|---|
| 7 | This document describes differences between the 5.6.0 release and
|
|---|
| 8 | the 5.7.0 release.
|
|---|
| 9 |
|
|---|
| 10 | =head1 Security Vulnerability Closed
|
|---|
| 11 |
|
|---|
| 12 | A potential security vulnerability in the optional suidperl component
|
|---|
| 13 | of Perl has been identified. suidperl is neither built nor installed
|
|---|
| 14 | by default. As of September the 2nd, 2000, the only known vulnerable
|
|---|
| 15 | platform is Linux, most likely all Linux distributions. CERT and
|
|---|
| 16 | various vendors have been alerted about the vulnerability.
|
|---|
| 17 |
|
|---|
| 18 | The problem was caused by Perl trying to report a suspected security
|
|---|
| 19 | exploit attempt using an external program, /bin/mail. On Linux
|
|---|
| 20 | platforms the /bin/mail program had an undocumented feature which
|
|---|
| 21 | when combined with suidperl gave access to a root shell, resulting in
|
|---|
| 22 | a serious compromise instead of reporting the exploit attempt. If you
|
|---|
| 23 | don't have /bin/mail, or if you have 'safe setuid scripts', or if
|
|---|
| 24 | suidperl is not installed, you are safe.
|
|---|
| 25 |
|
|---|
| 26 | The exploit attempt reporting feature has been completely removed from
|
|---|
| 27 | the Perl 5.7.0 release, so that particular vulnerability isn't there
|
|---|
| 28 | anymore. However, further security vulnerabilities are,
|
|---|
| 29 | unfortunately, always possible. The suidperl code is being reviewed
|
|---|
| 30 | and if deemed too risky to continue to be supported, it may be
|
|---|
| 31 | completely removed from future releases. In any case, suidperl should
|
|---|
| 32 | only be used by security experts who know exactly what they are doing
|
|---|
| 33 | and why they are using suidperl instead of some other solution such as
|
|---|
| 34 | sudo ( see http://www.courtesan.com/sudo/ ).
|
|---|
| 35 |
|
|---|
| 36 | =head1 Incompatible Changes
|
|---|
| 37 |
|
|---|
| 38 | =over 4
|
|---|
| 39 |
|
|---|
| 40 | =item *
|
|---|
| 41 |
|
|---|
| 42 | Arrays now always interpolate into double-quoted strings:
|
|---|
| 43 | constructs like "foo@bar" now always assume C<@bar> is an array,
|
|---|
| 44 | whether or not the compiler has seen use of C<@bar>.
|
|---|
| 45 |
|
|---|
| 46 | =item *
|
|---|
| 47 |
|
|---|
| 48 | The semantics of bless(REF, REF) were unclear and until someone proves
|
|---|
| 49 | it to make some sense, it is forbidden.
|
|---|
| 50 |
|
|---|
| 51 | =item *
|
|---|
| 52 |
|
|---|
| 53 | A reference to a reference now stringify as "REF(0x81485ec)" instead
|
|---|
| 54 | of "SCALAR(0x81485ec)" in order to be more consistent with the return
|
|---|
| 55 | value of ref().
|
|---|
| 56 |
|
|---|
| 57 | =item *
|
|---|
| 58 |
|
|---|
| 59 | The very dusty examples in the eg/ directory have been removed.
|
|---|
| 60 | Suggestions for new shiny examples welcome but the main issue is that
|
|---|
| 61 | the examples need to be documented, tested and (most importantly)
|
|---|
| 62 | maintained.
|
|---|
| 63 |
|
|---|
| 64 | =item *
|
|---|
| 65 |
|
|---|
| 66 | The obsolete chat2 library that should never have been allowed
|
|---|
| 67 | to escape the laboratory has been decommissioned.
|
|---|
| 68 |
|
|---|
| 69 | =item *
|
|---|
| 70 |
|
|---|
| 71 | The unimplemented POSIX regex features [[.cc.]] and [[=c=]] are still
|
|---|
| 72 | recognised but now cause fatal errors. The previous behaviour of
|
|---|
| 73 | ignoring them by default and warning if requested was unacceptable
|
|---|
| 74 | since it, in a way, falsely promised that the features could be used.
|
|---|
| 75 |
|
|---|
| 76 | =item *
|
|---|
| 77 |
|
|---|
| 78 | The (bogus) escape sequences \8 and \9 now give an optional warning
|
|---|
| 79 | ("Unrecognized escape passed through"). There is no need to \-escape
|
|---|
| 80 | any C<\w> character.
|
|---|
| 81 |
|
|---|
| 82 | =item *
|
|---|
| 83 |
|
|---|
| 84 | lstat(FILEHANDLE) now gives a warning because the operation makes no sense.
|
|---|
| 85 | In future releases this may become a fatal error.
|
|---|
| 86 |
|
|---|
| 87 | =item *
|
|---|
| 88 |
|
|---|
| 89 | The long deprecated uppercase aliases for the string comparison
|
|---|
| 90 | operators (EQ, NE, LT, LE, GE, GT) have now been removed.
|
|---|
| 91 |
|
|---|
| 92 | =item *
|
|---|
| 93 |
|
|---|
| 94 | The regular expression captured submatches ($1, $2, ...) are now
|
|---|
| 95 | more consistently unset if the match fails, instead of leaving false
|
|---|
| 96 | data lying around in them.
|
|---|
| 97 |
|
|---|
| 98 | =item *
|
|---|
| 99 |
|
|---|
| 100 | The tr///C and tr///U features have been removed and will not return;
|
|---|
| 101 | the interface was a mistake. Sorry about that. For similar
|
|---|
| 102 | functionality, see pack('U0', ...) and pack('C0', ...).
|
|---|
| 103 |
|
|---|
| 104 | =back
|
|---|
| 105 |
|
|---|
| 106 | =head1 Core Enhancements
|
|---|
| 107 |
|
|---|
| 108 | =over 4
|
|---|
| 109 |
|
|---|
| 110 | =item *
|
|---|
| 111 |
|
|---|
| 112 | C<perl -d:Module=arg,arg,arg> now works (previously one couldn't pass
|
|---|
|
|---|
