[ List each security issue as a =head2 entry ]
+=head2 Avoid calling memset with a negative count
+
+Poorly written perl code that allows an attacker to specify the count to perl's
+C<x> string repeat operator can already cause a memory exhaustion
+denial-of-service attack. A flaw in versions of perl before 5.15.5 can escalate
+that into a heap buffer overrun; coupled with versions of glibc before 2.16, it
+possibly allows the execution of arbitrary code.
+
+The flaw addressed to this commit has been assigned identifier CVE-2012-5195.
+
=head1 Incompatible Changes
XXX For a release on a stable branch, this section aspires to be:
=item *
+L<AutoLoader> has been upgraded from version 5.72 to 5.73.
+
+=item *
+
L<B::Deparse> has been upgraded from version 1.17 to 1.18. It no longer
dies when deparsing C<sort> without arguments. It now correctly omits the
comma for C<system $prog @args> and C<exec $prog @args>.
=item *
+L<CPANPLUS> has been upgraded from version 0.9131 to 0.9133.
+
+=item *
+
+L<Data::Dumper> has been upgraded from version 2.135_07 to 2.136. This promotes
+the previous development release to a stable release.
+
+=item *
+
+L<Digest::SHA> has been upgraded from version 5.71 to 5.72.
+
+=item *
+
L<ExtUtils::CBuilder> has been upgraded from version 0.280208 to 0.280209. A
list of symbols to export can now be passed to C<link()> when on Windows, as on
other OSes [perl #115100].
=item *
+L<feature> has been upgraded from version 1.30 to 1.31.
+
+=item *
+
L<File::Glob> has been upgraded from version 1.17 to 1.18. A
space-separated list of patterns return long lists of results no longer
results in memory corruption or crashes. This bug was introduced in Perl
=item *
+L<HTTP::Tiny> has been upgraded from version 0.022 to 0.024. This improves
+SSL support.
+
+=item *
+
+L<Module::CoreList> has been upgraded from version 2.73 to 2.74.
+
+=item *
+
L<PerlIO::encoding> has been upgraded from version 0.15 to 0.16. This is
the module implementing the ":encoding(...)" I/O layer. It no longer
corrupts memory or crashes when the encoding back-end reallocates the
buffer or gives it a typeglob or shared hash key scalar.
+=item *
+
+L<threads::shared> has been upgraded from version 1.41 to 1.42. This adds
+support for dual-valued values as created by
+L<Scalar::Util::dualvar|Scalar::Util/"dualvar NUM, STRING">.
+
+=item *
+
+L<Unicode::Collate> hsa been upgraded from version 0.89 to 0.90.
+
+=item *
+
+L<Unicode::Normalize> has been upgraded from version 1.14 to 1.15.
+
+=item *
+
+L<warnings> has been upgraded from version 1.14 to 1.15.
+
+=item *
+
+L<Win32CORE> has been upgraded from version 0.03 to 0.04.
+
=back
=head2 Removed Modules and Pragmata
=over 4
-=item XXX-some-platform
+=item Win32
-XXX
+The option to build without USE_SOCKETS_AS_HANDLES has been removed.
=back
C<length($object)> no longer returns the undefined value if the object has
string overloading that returns undef. [perl #115260]
+=item *
+
+The use of C<PL_stashcache>, the stash name lookup cache for method calls, has
+been restored,
+
+Commit da6b625f78f5f133 in August 2011 inadvertently broke the code that looks
+up values in C<PL_stashcache>. As it's a only cache, quite correctly everything
+carried on working without it.
+
=back
=head1 Known Problems
projects / platform / upstream / perl.git / commitdiff