CVE

HeartBleed vulnerability and ActivePerl

Question: 

Is my Community/Business/Enterprise Edition version of ActivePerl vulnerable to HeartBleed?

Answer: 

ActivePerl Community/Business Editions which, as shipped, are affected:
- 5.14.4.1405 - upgrade to 5.14.4.1406 (Business Edition only) or 5.16.3.1604 to fix
- 5.16.3.1603 - upgrade to 5.16.3.1604 to fix
- 5.18.1.1800 - upgrade to 5.18.2.1802 to fix
- 5.18.2.1801 - upgrade to 5.18.2.1802 to fix

Modules supplied through PPM are unaffected.
Modules compiled locally must be reviewed locally for vulnerability.

Enterprise Editions can be distinguished from Community/Business Editions by the presence of an additional fifth number before the six digit build number/version control number.
ActivePerl Enterprise Editions which, as shipped, are affected:
- 5.8.9.829.9 through 829.12
- 5.10.1.1009.9 through 1009.12
- 5.12.5.1206.2 through 1206.5
- 5.14.3.1404.2 through 1405.3
- 5.16.2.1602.2 through 1603.3

New Enterprise releases have been issued and can be located under the 2014Q1.1 folder.

HeartBleed vulnerability and ActivePython

Question: 

Is my Community/Business/Enterprise Edition version of ActivePython vulnerable to HeartBleed?

Answer: 

No Enterprise versions of ActivePython are vulnerable.

No Community/Business Edition versions of ActivePython 2.x and no Community/Business Edition versions of ActivePython 3.0, 3.1, and 3.2 are vulnerable to HeartBleed.

Only Community/Business Edition ActivePython 3.3.2.0 and 3.3.4.1 are vulnerable.
An updated 3.3 release will be needed to address the vulnerability.

Tcl Dev Kit and CVE-2015-1793

Question: 

Is the Tcl Dev Kit affected by CVE-2015-1793?

Answer: 

No releases of the Tcl Dev Kit are affected.

However, if you wrapped a product using the tls module, versions 1.6.6, 1.6.6.1, or 1.6.7, your wrapped product is affected.

Mitigation:
Tls version 1.6.8 will be published to the TEApot soon, with a new version of the OpenSSL library. Upgrade the tls module in your Tcl to version 1.6.8, or fall back to 1.6.5. Then re-wrap your product to make a new version.

ActivePython and CVE-2015-1793

Question: 

Are ActivePython releases affected by CVE-2015-1793?

Answer: 

No ActivePython releases, in any product line, are affected by CVE-2015-1793.

ActivePerl and CVE-2015-1793

Question: 

Are ActivePerl releases affected by CVE-2015-1793?

Answer: 

No ActivePerl releases, in any product line, are affected by CVE-2015-1793.

ActiveTcl and CVE-2015-1793

Question: 

Are ActiveTcl releases affected by CVE-2015-1793?

Answer: 

ActiveTcl 8.4.6.1 is affected. No other releases were shipped with the OpenSSL libraries that have the issue.

Sites where Teacup updates have installed tls versions 1.6.6, 1.6.6.1, or 1.6.7 are also affected.

Mitigation:
tls version 1.6.7.1 will be released with an updated OpenSSL library, and can be installed to patch 8.4.6.1 or replace add-on tls versions in other releases.

Alternately, there is also the option of using teacup to fall back to a tls version prior to 1.6.6 which is not affected.

HeartBleed vulnerability and ActiveTcl

Question: 

Is my version of Community/Business/Enterprise Edition ActiveTcl vulnerable to Heartbleed?

Answer: 

From a running tclsh:

%package require tls

The version of tls will be reported. Interpreters running tls 1.6.2 and 1.6.3 are vulnerable. Some installations of tls 1.6.1 are also vulnerable, depending on the age of the module. v1.6.1 carrying a timestamp newer than Feb 2012 (TeaPOT version is affected) are vulnerable,

Unless the tls module has been locally updated,
- Enterprise ActiveTcls shipped before 2012Q2 are unaffected,
- Community/Business Edition ActiveTcl 8.4.19.5 and older are unaffected,
- Community/Business Edition ActiveTcl 8.5.11.0 and older are unaffected,
- Community/Business Edition ActiveTcl 8.6.0.0b6 and older are unaffected

You can mitigate for HeartBleed using the TEApot service.

teacup install tls -exact 1.6.3.1

ActivePerl CVE-2012-5377 Insecure File Permissions Vulnerability

Question: 

We have read the Security alert for CVE-2012-5377, and would like more information.

Answer: 

This is not a new issue, and it's not really an ActivePerl issue. This vulnerability is a member of a class of vulnerabilities that apply to any software which needs to have a user-writable directory on $PATH. It has been a security concern on Windows for as long as software has been avoiding dll conflicts by using custom library paths.

It is already possible to mitigate the vulnerability by choosing to override the default install path and install to one of the various protected program files silos that newer versions of Windows offer. We don't do this as the default because ActivePerl has a long legacy of scripts and modules which do not handle spaces in the pathname.

It is also possible to migate the vulnerability on an inplace install. This powershell script will copy the permissions to the Perl directory (replace with your directory name, as installed):

powershell -command "(Get-Item 'C:\Program Files').GetAccessControl('Access') | set-acl 'C:\Perl'"

Be advised that protecting Perl from this vulnerability *will* result in reduced functionality. (Edited)
- Installing to a protected program files silo will mean you must have elevated privileges to use PPM or "CPAN" to install or update modules, and will mean that you will need to deal with any white space issues on your own. Use of modules will only be affected if the module design requires write access for the user.
- If you mitigate by using altered acls, you must have elevated privileges to use PPM or "CPAN" to install or update modules. Use of modules will only be affected if the module design requires write access for the user.

Powershell is included in Windows 7. With older versions, you may be able to download.

ActiveTcl CVE-2012-5378 Insecure File Permissions Vulnerability

Question: 

We have read the Security alert for CVE-2012-5378, and would like more information.

Answer: 

This is not a new issue, and it's not really an ActiveTcl issue. This vulnerability is a member of a class of vulnerabilities that apply to any software which needs to have a user-writable directory on $PATH. It has been a security concern on Windows for as long as software has been avoiding dll conflicts by using custom library paths.

It is already possible to mitigate the vulnerability by choosing to override the default install path and install to one of the various protected program files silos that newer versions of Windows offer. We don't do this as the default because ActiveTcl has a long legacy of scripts and modules which do not handle spaces in the pathname.

It is also possible to migate the vulnerability on an inplace install. This powershell script will copy the permissions to the Tcl directory (replace with your directory name, as installed):

powershell -command "(Get-Item 'C:\Program Files').GetAccessControl('Access') | set-acl 'C:\Tcl'"

Be advised that protecting Tcl from this vulnerability *will* result in reduced functionality. With altered acls, teacup will be unable to manage modules unless it is run with elevated priviledges.

Powershell is included in Windows 7. With older versions, you may be able to download.

ActivePython CVE-2012-5379 Insecure File Permissions Vulnerability

Question: 

We have read the Security alert for CVE-2012-5379, and would like more information.

Answer: 

This is not a new issue, and it's not really an ActivePython issue. This vulnerability is a member of a class of vulnerabilities that apply to any software which needs to have a user-writable directory on $PATH. It has been a security concern on Windows for as long as software has been avoiding dll conflicts by using custom library paths.

It is already possible to mitigate the vulnerability by choosing to override the default install path and install to one of the various protected program files silos that newer versions of Windows offer. We don't do this as the default because ActivePython has a long legacy of scripts and modules which do not handle spaces in the pathname.

It is also possible to migate the vulnerability on an inplace install. This powershell script will copy the permissions to the Python directory (replace with your directory name, as installed):

powershell -command "(Get-Item 'C:\Program Files').GetAccessControl('Access') | set-acl 'C:\Python'"

Be advised that protecting Python from this vulnerability *will* result in reduced functionality. With altered acls, PyPM will be unable to manage modules unless it is run with elevated priviledges. If you are using virtualenv, you will not be fully protected from this vulnerability unless you protect your virtualenv directory as well.

Powershell is included in Windows 7. With older versions, you may be able to download.