On Tue, Feb 04, 2003 at 12:52:13PM -0600, Jensen Kenneth B SrA AFPC/DPDMPQ wrote: > I am trying to justify to my sys admin office reasons to upgrade our > archaic systems from perl4 (4.0.1.8) to at the very least perl 5.004.
Wow! That brings back memories. 4.018 is over 11 years old. By the way, 4.036, the last release of perl4 is 10 years old tomorrow :-) > Does > anyone have any info, or references of possible security issues with perl 4? > Or perhaps some other dangerous bugs that have been fixed since the perl4 > release?. All the new functionality, bells & whistles haven't been enough to > persuade them to act on this. I've had a hard time finding much > documentation on perl4, besides manuals... which don't exactly point out > flaws. So, chuck the carrot and get out the stick. If flashy bell and whistles aren't enticing, how about support and security. - From the unsupported directory on CPAN: NOTICE however that Perl 4 is effectively unsupported. No bug reports will be accepted, no fixes will be provided. Please migrate to Perl 5. - From perlfaq1: If you face reluctance to upgrading from an older version of perl, then point out that version 4 is utterly unmaintained and unsupported by the Perl Development Team. If you want support and a reasonable guarantee that what you're developing will continue to work in the future, then you have to run the supported version. As of January 2002 that probably means running either of the releases 5.6.1 (released in April 2001) or 5.005_03 (released in March 1999), although 5.004_05 isn't that bad if you absolutely need such an old version (released in April 1999) for stability reasons. Anything older than 5.004_05 shouldn't be used. Of particular note is the massive bug hunt for buffer overflow problems that went into the 5.004 release. All releases prior to that, including perl4, are considered insecure and should be upgraded as soon as possible. In August 2000 in all Linux distributions a new security problem was found in the optional 'suidperl' (not built or installed by default) in all the Perl branches 5.6, 5.005, and 5.004, see http://www.cpan.org/src/5.0/sperl-2000-08-05/ Perl maintenance releases 5.6.1 and 5.8.0 have this security hole closed. Most, if not all, Linux distribution have patches for this vulnerability available, see http://www.linuxse curity.com/advisories/ , but the most recommendable way is to upgrade to at least Perl 5.6.1. Despite being a .0 release, 5.8.0 has proved remarkably robust. I would suggest going for 5.8.0, or 5.6.1 at the least. -- Paul Johnson - [EMAIL PROTECTED] http://www.pjcj.net -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
