Skip to content

1.95 Security Release

Choose a tag to compare

View all tags
@jonasbn jonasbn released this 18 May 14:13
· 35 commits to master since this release
1.95
3681a1e
This commit was signed with the committer’s verified signature.
jonasbn Jonas Brømsø
GPG key ID: 76A2A4D5AE817EE9
Verified
Learn about vigilant mode.

Security release, update recommended

  • Security: fix CVE-2026-8507 — integer overflow in print_attribute leading to
    heap out-of-bounds write when an OCTET STRING or BIT STRING attribute length
    overflows int * 4. Lengths > INT_MAX/4 now croak explicitly.

  • Security (CVE-2026-8721): length-aware password handling across all XS entry points.
    Passwords are now extracted with SvPV (preserving the full Perl string length)
    rather than relying on strlen. APIs that accept an explicit length
    (PKCS12_verify_mac, dump_certs_keys_p12) receive the true byte count;
    APIs that use strlen internally (PKCS12_create, PKCS12_newpass) now
    croak with a clear diagnostic if the password contains an embedded NUL byte.

    Thanks to the CPANsec team for reporting and assisting with these issues

Full Changelog: 1.94...1.95

Assets 2
Loading