ActiveState writes, "ActiveState has discovered a severe bug in the PerlCtrl component of the Perl Dev Kit that may result in deletion of the filesystem. The bug only occurs for PerlCtrls built using the -clean option.
When these controls are loaded and unloaded into memory without actually instantiating an instance of the control, arbitrary parts of the filesystem may be permanently deleted."
All versions of PerlCtrl released to date are vulnerable. Find out more information from the ActiveState bugs site.
This is a tad off-topic. You've been warned
Don't get me wrong. I've been fairly pleased with ActiveState Perl. We use it extensively at my company, but there are some serious issues with it that I feel ActiveState really hasn't done enough to address.
It's pretty common knowledge that PPM support is limited. Many of the modules are old and many CPAN modules don't exist in a PPM version. Savvy users can grab the latest tarball from the CPAN and use nmake on most modules, but those first coming to Perl seem to get frustrated.
The ActiveState Perl ISAPI dll (PerlIS.dll) doesn't support taint checking. If you're serious about security, this means dumping IIS (something many companies are unwilling to do), or foregoing the performance benefits and switching to straight CGI and then figuring out how to change the association to include taint checking. PerlEX is not a solution as ActiveState doesn't appear to support taint checking there, either. In my correspondence with them, a marketing person (certainly a voice of authority) informed me that they were considering supporting taint checking in the next release of PerlEX, but I'm not holding my breath.
I also recall reading about numerous users having problems with DBI when using ActiveState Perl. When I read through their mailing lists, they weren't doing a great job of answering those questions, but it's been a while since I've looked.
I realize that ActiveState is trying to make money, so continuously focusing on things that don't generate revenue might not seem to be in their best interest, but I think it would go a long way to building user goodwill. I like ActiveState, but I am a bit concerned about these issues. (and because they don't support taint checking with ISAPI or PerlEX, we've mananaged to convince our company to check out Apache on Linux or BSD).
Now, I'll agree that this is totally unrelated to this security hole, but I have some concerns about ActiveState and this doesn't make me feel any better about 'em.
