Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Security Issues in Perl IP Address distros

by choroba (Archbishop)
on Mar 30, 2021 at 12:59 UTC ( #11130589=perlnews: print w/replies, xml ) Need Help??

Security Issues in Perl IP Address distros

tl;dr:

  • Net-Netmask: Vulnerable before 2.00000 release. Upgrade now.
  • Net-CIDR-Lite: Affected and unmaintained.
  • Net-IPAddress-Util: Affected.
  • Data-Validate-IP: Depends on exactly how itís used. See below for details.
  • Socket: Appears unaffected.
  • Net-DNS: Appears unaffected.
  • NetAddr-IP: Appears unaffected.
  • Net-Subnet: Appears unaffected.
  • Net-Patricia: Appears unaffected.

map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]

Replies are listed 'Best First'.
Re: Security Issues in Perl IP Address distros
by parv (Vicar) on Mar 31, 2021 at 02:37 UTC
Re: Security Issues in Perl IP Address distros
by jeffenstein (Friar) on Mar 30, 2021 at 15:35 UTC

    If I'm reading it correctly, it only affects you if you've configured something using octal IP addresses, or you are trusting textual IP address from remote users. Is it really a security issue in that case?

      From my limited experience from security, everything that has a potential to behave differently than expected is considered a security issue. After the original node issue was published, I can imagine lots of people and robots trying entering dangerous IPs everywhere just to see what happens.

      map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]
Re: Security Issues in Perl IP Address distros
by hippo (Chancellor) on Apr 06, 2021 at 12:54 UTC

    Note that Net::CIDR::Lite now has an active maintainer (STIGTSP) and as of version 0.22 has been patched to address this flaw.


    🦛

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlnews [id://11130589]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (3)
As of 2021-04-18 16:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?