On Mon, 14 Apr 2025 11:20:22 +0000 Einar Bjarni Halldórsson <ei...@isnic.is> wrote:
> CVE-2024-56406 was announced on oss-security yesterday and affects > perl versions: > > from 5.41.0 through 5.41.10 > from 5.39.0 before 5.40.2-RC1 > from 5.33.1 before 5.38.4-RC1 > > Still, there are no updates for lang/perl5.36, 38 or 40. > > I tried building 5.40.2 using a ports overlay tree, but it doesn’t work. > Ports that depend on perl5 use PERL_VERSION= 5.40.1 even if I update > version.mk. > I assume it’s because it’s in an overlay. > > I checked bugzilla, found no PR. Does anybody know if an update is being > worked on? > > .einar Not sure there are someone working on upgrading perl (found no open review with it on Phablicator, too), so replying about overlay only. Overlays are treated by ports framework, so /usr/ports/Mk/should be needed to work (not overlayed at least until codes to treat overlays start working). You should override default version via DEFAULT_VERSIONS in your /etc/make.conf like DEFAULT_VERSIONS+= perl5=5.40. What version is valid is in /usr/ports/Mk/bsd.default-versions.mk. Not actually tested, but if you have lang/perl5.40 pointing the version you want in version.mk there, choosing 5.40 may work. -- Tomoaki AOKI <junch...@dec.sakura.ne.jp>
