source: trunk/essentials/dev-lang/perl/pod/perl570delta.pod@ 3439

=head1 NAME

perl570delta - what's new for perl v5.7.0

=head1 DESCRIPTION

This document describes differences between the 5.6.0 release and
the 5.7.0 release.

=head1 Security Vulnerability Closed

A potential security vulnerability in the optional suidperl component
of Perl has been identified.  suidperl is neither built nor installed
by default.  As of September the 2nd, 2000, the only known vulnerable
platform is Linux, most likely all Linux distributions.  CERT and
various vendors have been alerted about the vulnerability.

The problem was caused by Perl trying to report a suspected security
exploit attempt using an external program, /bin/mail.  On Linux
platforms the /bin/mail program had an undocumented feature which
when combined with suidperl gave access to a root shell, resulting in
a serious compromise instead of reporting the exploit attempt.  If you
don't have /bin/mail, or if you have 'safe setuid scripts', or if
suidperl is not installed, you are safe.

The exploit attempt reporting feature has been completely removed from
the Perl 5.7.0 release, so that particular vulnerability isn't there
anymore.  However, further security vulnerabilities are,
unfortunately, always possible.  The suidperl code is being reviewed
and if deemed too risky to continue to be supported, it may be
completely removed from future releases.  In any case, suidperl should
only be used by security experts who know exactly what they are doing
and why they are using suidperl instead of some other solution such as
sudo ( see http://www.courtesan.com/sudo/ ).

=head1 Incompatible Changes

=over 4