-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathperl5241cdelta.html
420 lines (259 loc) · 22.8 KB
/
perl5241cdelta.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>perl5241cdelta - what is new for cperl v5.24.1</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:[email protected]" />
</head>
<body>
<ul id="index">
<li><a href="#NAME">NAME</a></li>
<li><a href="#DESCRIPTION">DESCRIPTION</a></li>
<li><a href="#Notice">Notice</a></li>
<li><a href="#Security">Security</a>
<ul>
<li><a href="#n-buffer-overflows">@{ \327 \n } buffer overflows</a></li>
<li><a href="#eval-q-.-chr-overlarge-stack-overflow">eval "q" . chr(overlarge) stack overflow</a></li>
<li><a href="#Protect-and-warn-on-hash-flood-DoS">Protect and warn on hash flood DoS</a></li>
<li><a href="#Warn-on-metasploit-CVE-2015-1592">Warn on metasploit CVE-2015-1592</a></li>
<li><a href="#Warn-on-metasploit-reverse-shells">Warn on metasploit reverse shells</a></li>
</ul>
</li>
<li><a href="#Performance-Enhancements">Performance Enhancements</a></li>
<li><a href="#Modules-and-Pragmata">Modules and Pragmata</a>
<ul>
<li><a href="#Updated-Modules-and-Pragmata">Updated Modules and Pragmata</a></li>
</ul>
</li>
<li><a href="#Diagnostics">Diagnostics</a>
<ul>
<li><a href="#New-Diagnostics">New Diagnostics</a>
<ul>
<li><a href="#New-Errors">New Errors</a></li>
<li><a href="#New-Warnings">New Warnings</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#Configuration-and-Compilation">Configuration and Compilation</a></li>
<li><a href="#Testing">Testing</a></li>
<li><a href="#Internal-Changes">Internal Changes</a></li>
<li><a href="#Selected-Bug-Fixes">Selected Bug Fixes</a></li>
<li><a href="#Acknowledgements">Acknowledgements</a></li>
<li><a href="#Reporting-Bugs">Reporting Bugs</a></li>
<li><a href="#SEE-ALSO">SEE ALSO</a></li>
</ul>
<h1 id="NAME">NAME</h1>
<p>perl5241cdelta - what is new for cperl v5.24.1</p>
<h1 id="DESCRIPTION">DESCRIPTION</h1>
<p>This document describes perl-only differences between the cperl 5.24.0 release and the cperl 5.24.1 release.</p>
<p>If you are upgrading from an earlier release such as 5.22.3, first read <a href="/cperl/perl5240cdelta.html">perl5240cdelta</a>, which describes differences between 5.22.3 and 5.24.0.</p>
<h1 id="Notice">Notice</h1>
<p>perl5.24.1 upstream was a security update to non-existing problem. cperl added PERLIO_DEBUG as optional handle to redirect DEBUGGING outout via -Dx switches to. This is only usable with DEBUGGING perls, which are not used in production, only during development. perl5.24.1 changed PERLIO_DEBUG to only be active for PerlIO debugging together with <code>-Di</code>.</p>
<h1 id="Security">Security</h1>
<h2 id="n-buffer-overflows"><code>@{ \327 \n }</code> buffer overflows</h2>
<p>Fixed <code>@{ \327 \n }</code> tokenizer failures and heap buffer overflows in <code>sv_vcatpvfn_flags()</code> with wrong tracking of <code>PL_linestr</code>, the currently parsed line buffer. This can easily lead to security relevant exploits.</p>
<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=128951">[perl #128951]</a></p>
<h2 id="eval-q-.-chr-overlarge-stack-overflow"><code>eval "q" . chr(overlarge)</code> stack overflow</h2>
<p>In <code>eval "q" . chr(100000000064)</code> generating the error message <code>Can't find string terminator "XXX"'</code> was overrunning a local buffer designed to hold a single utf8 char, since it wasn't allowing for the <code>\0</code> at the end.</p>
<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=128952">[perl #128952]</a></p>
<h2 id="Protect-and-warn-on-hash-flood-DoS">Protect and warn on hash flood DoS</h2>
<p>If the collisions for a hash key lookup exceeds 128 tries (i.e. a linear search in a linked list), this qualifies as a malicious hash DoS (<i>Denial of Service</i>) attack. Generally maximal 8 collisions appear in normal hash table usage. Every 8th such hash flood attack performs a <code>sleep(2)</code> to limit the impact.</p>
<p>This security scheme is much easier and faster than trying to hide the random hash seed with randomized iterators and collisions lists, which cperl doesn't use.</p>
<h2 id="Warn-on-metasploit-CVE-2015-1592">Warn on metasploit CVE-2015-1592</h2>
<p>Detection of the destructive attack against Movable-Type, the third vector only, which tries to delete <i>mt-config.cgi</i> was added to was added to <a href="/cperl/lib/Storable.html">Storable</a> 3.01c.</p>
<p>Warns with "SECURITY: Movable-Type CVE-2015-1592 Storable metasploit attack" but does not protect against it.</p>
<h2 id="Warn-on-metasploit-reverse-shells">Warn on metasploit reverse shells</h2>
<p>Detect the metasploit payload unix/reverse_perl and some existing variants. This is just a dumb match at startup against existing exploits in the wild, but not future variants. Warns with "SECURITY: metasploit reverse/bind shell payload", but do not protect against it. This warning is thrown even without <code>-w</code>.</p>
<p>Also detects the CVE-2012-1823 reverse/bind shell payload, which is widely exploited too. The security warning is called "SECURITY: CVE-2012-1823 reverse/bind shell payload".</p>
<h1 id="Performance-Enhancements">Performance Enhancements</h1>
<ul>
<li><p>Out-of-bounds check elimination in loops has been fixed for lexical counters. E.g. with <code>my @a=(0..4); for my $i (0..$#a) { $a[$i] }</code> each access to <code>$a[$i]</code> in the loop is now really converted to the unchecked faster <b>aelem_u</b> op.</p>
<p>Note that multideref ops are not yet converted to omit out-of-bounds checks. This is only implemented since cperl-5.25 (released with 5.26.0c), since it needs to widen the internal mderef structure.</p>
</li>
<li><p>Improvements when reading from arrays have been imported from perl 5.25. <code>av_fetch()</code> uses less branches reading from the end (negative indices), and a branch checking for freed <code>@_</code> elements has been removed,</p>
</li>
<li><p>The new <code>strEQc</code>/<code>strNEc</code> macros are used instead of <code>strEQ(s,"constant")</code>. This enables word-wise comparison via memcpy, in opposite of byte-wise comparisons via strcmp with already known sizes. This is a 10% performance improvement under most optimization levels.</p>
<p>Use more <code>strEQc</code>, <code>strNEc</code> macros, when safe to use, i.e. the left buffer is big enough, now with Address Sanitizer fallbacks.</p>
<p>The new fast buffer comparison macros <code>strEQc</code> and <code>strNEc</code> compare a full string including the final <code>\0</code>, <code>memEQc</code> and <code>memNEc</code> just the start of a buffer, with constants strings. Note that valgrind and Address Sanitizer will complain about out of range access of the left side of the buffer. To access these buffers however is safe and will not lead to SIGBUS on stricter platforms. To prevent valgrind from warning on this, you may want to define <code>-DVALGRIND</code>, which uses a safe and slower fallback macro.</p>
</li>
<li><p>aassign: pre-allocate needed hash size with aassign, similar to arrays, avoiding run-time hash splits. e.g. <code>my %h = (.. =</code> .., .. => ..)></p>
<p>This version is 30% faster overall in the Mail::SpamAssassin testsuite than cperl-5.24.0.</p>
</li>
<li><p>Pre-extend internal hashes and stashes to avoid unnecessary boot-time hash splits. <code>%warnings::</code>, <code>%Config::</code>, <code>%utf8::</code>, <code>%version::</code>.</p>
</li>
</ul>
<h1 id="Modules-and-Pragmata">Modules and Pragmata</h1>
<h2 id="Updated-Modules-and-Pragmata">Updated Modules and Pragmata</h2>
<dl>
<dt id="Cpanel::JSON::XS-3.027_03">Cpanel::JSON::XS 3.027_03</dt>
<dd>
<p>New stringify_infnan(3) infnan_mode. Fix inf/nan detection on HP-UX and others. Use faster strEQc macros. Prefer memEQ for systems without memcmp, to use bcmp there. Add more expect_false() to inf/nan branches. Fix av and hv length types: protect from security sensitive overflows, add HVMAX_T and RITER_T Add new "Hash key too large" error. perl5 silently truncates it, but we prefer errors.</p>
</dd>
<dt id="Term::ReadKey-2.35">Term::ReadKey 2.35</dt>
<dd>
<p>ReadKey.pm renamed to ReadKey_pm.PL, expand blockoptions specific variants already at installation, no load-time eval, demand-load Carp, remove unneeded AutoLoader, harmonize formatting</p>
</dd>
<dt id="B-1.62_05">B 1.62_05</dt>
<dd>
<p>Allow a 2nd optional CV argument for B::OP::aux_list, fixing B::Deparse and thereby Data::Dumper and Test2 is_deeply.</p>
</dd>
<dt id="Storable-3.01c">Storable 3.01c</dt>
<dd>
<p><a href="#Warn-on-metasploit-CVE-2015-1592">"Warn on metasploit CVE-2015-1592"</a></p>
</dd>
<dt id="Config-6.22">Config 6.22</dt>
<dd>
<p>protect sv in END during global destruction, esp. with B::C. fixes for missing . in @INC (cperl or -Dfortify_inc). Add <code>i_netinet_in_systm</code>. Removed <code>i_netinet6_in6</code>.</p>
</dd>
<dt id="YAML::XS-0.73">YAML::XS 0.73</dt>
<dd>
<p>merged with upstream libyaml 0.1.7 avoid duplicate checks against NULL fix libyaml clang -Wlogical-op warnings fix libyaml clang -Wlogical-not-parentheses warnings</p>
</dd>
<dt id="List::Util-1.45_06">List::Util 1.45_06</dt>
<dd>
<p>sum/min/max need to call SvGETMAGIC</p>
</dd>
<dt id="Sub::Util-1.45_06">Sub::Util 1.45_06</dt>
<dd>
<p>set_subname memory fix by @bluhm from Sub::Name 0.20 [cpan #117072]</p>
<p>Fixes for older perls, esp. lexical $_ support.</p>
<p>Reinstate the &DB::sub setter, but no UTF8 support yet.</p>
</dd>
<dt id="ExtUtils::Liblist::Kid-8.04_06">ExtUtils::Liblist::Kid 8.04_06</dt>
<dd>
<p>one more darwin fix for the wrong no library found warning for symlinked darwin libSystem.dylib libraries.</p>
</dd>
<dt id="IO::Socket::IP-0.38">IO::Socket::IP 0.38</dt>
<dd>
<p>protect sv in END during global destruction, esp. with B::C. fixes for missing . in @INC (cperl or -Dfortify_inc).</p>
<p>From https://github.com/atoomic/IO-Socket-IP/:</p>
<p>- Support setting custom socket options with new Sockopts constructor parameter</p>
<p>- Restore blocking mode after ->connect errors [cpan #112334]</p>
</dd>
<dt id="Time::HiRes-1.9739">Time::HiRes 1.9739</dt>
<dd>
<p>More Darwin thread fixes for clock_gettime, Sierra support, test improvements.</p>
</dd>
<dt id="Socket-2.024_04">Socket 2.024_04</dt>
<dd>
<p>Merge cpan 2.024 with our 2.021_02, plus fix some problems in their new code.</p>
<p>Fixes for OpenBSD: Probe for <i>netinet/in_systm.h</i> Removed <code>i_netinet6_in6</code> probe. This was never used due to a typo. It cannot be used due to RFC 2553.</p>
</dd>
<dt id="DynaLoader-2.05c">DynaLoader 2.05c</dt>
<dd>
<p>no mathoms: call_sv instead of call_pv, get_cvs where available.</p>
</dd>
<dt id="B-C-1.54_13">B-C 1.54_13</dt>
<dd>
<p>Better CopFILE_set, Fixup arenasize refcnt. Delay cvref to init2, properly set a SvRV to a XS sub. Optimize constpv for CvFILE (less constants to merge for gcc). Improve NV precision by one digit. Fix to compile in utf8_heavy.pl, abstract and set %INC. Fix generation of @B::C::Config::deps on Windows. Fix !C99 precedence bug (e.g. MSVC). Minor refactor to simplify save_hek. Use the new get_svs, get_avs, get_hvs macros. perlcc add --debug|-D Improve endav XSUB bump Abstract RITER_T and HVMAX_T for the various sizes, compat HEK_STATIC Defer REGCOMP for \P{} properties Change $sv->EXTFLAGS to compflags since 5.22 for CALLREGCOMP(). Turn off MGf_REFCOUNTED. global-buffer-overflow with dynamic COW strings, wrong savepvn args.</p>
</dd>
<dt id="base-2.23_01">base 2.23_01</dt>
<dd>
<p>fixes for missing . in @INC (cperl or -Dfortify_inc).</p>
</dd>
</dl>
<h1 id="Diagnostics">Diagnostics</h1>
<p>The following additions or changes have been made to diagnostic output, including warnings and fatal error messages. For the complete list of diagnostic messages, see <a href="/cperl/perldiag.html">perldiag</a>.</p>
<h2 id="New-Diagnostics">New Diagnostics</h2>
<h3 id="New-Errors">New Errors</h3>
<ul>
<li><p>The <a href="/cperl/perldiag.html#Too-many-elements">Too many elements</a> error is now triggered when accessing or extending an out of bounds array index or trying to insert too many hash keys. This is to prevent from silent hash or array overflows. Previously extending a hash beyond it's capable size was silently ignored, leading to performance degradation with overly high fill factors and extending an array failed only on memory exhaustion, but the signed index led to an index overflow between I32 and U32, resp. I64 and U64.</p>
<p>Even worse, accessing overflown unsigned array indices would silently access the signed counterpart, indices at the end.</p>
<p>Note that the out of bound error message with shaped arrays is different. (cperl only)</p>
</li>
<li><p>The <a href="/cperl/perldiag.html#panic:-hash-key-too-long-u">Panic: hash key too long</a> error is now thrown with overlarge hash keys in every <code>hv_common</code> access and in <a href="/cperl/lib/Cpanel/JSON/XS.html">Cpanel::JSON::XS</a>. perl5 still silently ignores those failures, and truncates the keys. Many more similar <code>panic: (file|keyword|mro|stash)? name too long</code> errors were added to the parser and compiler to protect from overlong names (> I32_MAX, 2147483647). (cperl only)</p>
</li>
</ul>
<h3 id="New-Warnings">New Warnings</h3>
<ul>
<li><p>The new security warning "Hash flood" was added. See <a href="#Protect-and-warn-on-hash-flood-DoS">"Protect and warn on hash flood DoS"</a>. (cperl only)</p>
</li>
<li><p>The new <code>security</code> warnings "metasploit reverse/bind shell payload" and "CVE-2012-1823 reverse/bind shell payload" were added, detecting the existing metasploit/libxploit and phpcgi CVE-2012-1823 reverse and bind shells. See <a href="#Warn-on-metasploit-reverse-shells">"Warn on metasploit reverse shells"</a> (cperl only)</p>
</li>
</ul>
<h1 id="Configuration-and-Compilation">Configuration and Compilation</h1>
<ul>
<li><p>Added <code>sanitize_address</code> config entry and probe, and matching <code>USE_SANITIZE_ADDRESS</code> <i>config.h</i> define. (cperl only)</p>
</li>
<li><p>Removed <code>i_netinet6_in6</code> Config entry and probe, and matching <code>I_NETINET6_I6</code> <i>config.h</i> define, which was a typo. This was added with cperl-5.22.2 and was never used due to the typo. It cannot be used due to RFC 2553. (cperl only)</p>
</li>
<li><p>Added <code>i_netinet_in_systm</code> probe. (cperl only)</p>
</li>
</ul>
<h1 id="Testing">Testing</h1>
<ul>
<li><p><code>make minitest</code> has been vastly improved</p>
</li>
<li><p>Fix tests for the optional <code>-DNODEFAULT_SHAREKEYS</code> configuration.</p>
</li>
<li><p>Add hash flood tests with pre-created collision data for 511 collisions on seed=0.</p>
</li>
<li><p>Split <i>t/op/tr.t</i> into unicode and ebcdic variant</p>
</li>
<li><p>Don't warn on missing Pod::Man in CORE tests. Pod::Man is not a dependency for EUMM, as it needs EUMM at first.</p>
</li>
</ul>
<h1 id="Internal-Changes">Internal Changes</h1>
<ul>
<li><p>Increasing the hash size to values larger then U32_MAX are now silently ignored. This only affects 64-bit platforms. Normally a hash split to an overlarge value should die, but historically it silently ignored the split, it just increases the fill rate and decreases performance.</p>
</li>
</ul>
<h1 id="Selected-Bug-Fixes">Selected Bug Fixes</h1>
<ul>
<li><p>Fixed several <b>heap-buffer-overflows</b> detected by asan: use-after-free in Dynaloader (ReadKey probe with -DDEBUG_LEAKING_SCALAR), heap-overflow in gv_fetchfile (t/comp/parser.t), heap-overflow with signatures, heap-overflow in XSLoader, invalid memEQc in toke.c missing out on parsing #!perl -opts, B-C global-buffer-overflow with dynamic COW strings, wrong savepvn args.</p>
<p>There are still heap-use-after-free problems with perlcc and PERL_DESTRUCT_LEVEL=2.</p>
<p>See <a href="https://github.com/perl11/cperl/issues/207">[cperl #207]</a></p>
</li>
<li><p>Fixed overwriting the <code>HVhek_UNSHARED</code> bit in the hash loop broken with v5.9.</p>
<p>This fixed <code>-DNODEFAULT_SHAREKEYS</code>. In the default configuration without NODEFAULT_SHAREKEYS since 5.003_001 all hash keys are stored twice, once in the hash and once again in <code>PL_strtab</code>, the global string table, with the benefit of faster hash loops and copies. Almost all hashtables get the SHAREKEYS bit. With <code>-Accflags=-DNODEFAULT_SHAREKEYS</code> simple scripts are 20-30% faster. <a href="https://github.com/perl11/cperl/issues/201">[cperl #201]</a></p>
</li>
<li><p>Fix HEK_TAINTED check for HEf_SVKEY values. A HEf_SVKEY hek has no tainted flag, the pointed to SV has. This is a cperl-only security feature.</p>
</li>
<li><p>Only clear LS_COLORS for glob</p>
<p>When miniperl calls csh to implement glob(), we cleared %ENV temporarily to avoid csh dying on invalid values for things like LS_COLORS. That has proven to have far too many problems, since many system-dependent env vars are necessary for calling an external process. See the <a href="https://rt.perl.org/Public/Bug/Display.html?id=126041">[perl #126041]</a> ticket for details.</p>
<p>A better solution is temporarily to clear only those vars that are known to be problematic and make csh possibly fail. There only hap- pens to be one of those at present, namely LS_COLORS.</p>
</li>
<li><p>A SEGV in mess_sv during global destruction with a DEBUGGING perl and -DS been fixed, occuring when we wanted to report the location of an error when curcop has already been freed.</p>
<p>Testcase: <code>./miniperl -DS -e '$_="f"; s/./"&".$&/ee'</code></p>
<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129027">[perl #129027]</a></p>
</li>
<li><p>A SEGV in ck_shift with an empty/wrong current function, caused by a syntax error has been fixed. The syntax error is now reported lateron. Testcase: <code>'qq{@{sub{q}}]]}}; s0{shift'</code></p>
<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=125351">[perl #125351]</a></p>
</li>
<li><p>Since Perl 5.20, line numbers have been off by one when perl is invoked with the <b>-x</b> switch. This has been fixed. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128508">[perl #128508]</a></p>
</li>
<li><p>Handle missing Unicode heredoc terminators correctly. E.g. <code>perl -CS -e 'use utf8; q«'</code> prints now <code>Can't find string terminator "«" anywhere before EOF at -e line 1.</code></p>
<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=128701">[perl #128701]</a></p>
</li>
<li><p>Mentioning a constant twice in a row does not lead to assertions errors with DEBUGGING builds, such as e.g. <code>sub ub(){0} ub ub</code>.</p>
</li>
<li><p>Fixed overwriting the HVhek_UNSHARED bit in the hash loop broken with v5.9.</p>
<p>This fixed <code>-DNODEFAULT_SHAREKEYS</code>. In the default configuration without NODEFAULT_SHAREKEYS since 5.003_001 all hash keys are stored twice, once in the hash and once again in <code>PL_strtab</code>, the global string table, with the benefit of faster hash loops and copies. Almost all hashtables get the SHAREKEYS bit. (#201)</p>
</li>
<li><p>Array and hash index overflow are now properly detected and throw an "Too many elements" error.</p>
<p>E.g. on 32bit <code>$ary[2147483648]</code> will lead to a compile-time error, <code>$i=2147483648; $ary[$i]</code> to a run-time error. Before 5.24c or with perl5 those two would silently overflow to <code>-1</code>, i.e. accessing the last element.</p>
<p>When inserting more than U32, i.e. 4294967295 hash elements, the same error is now thrown. Before 5.24c or with perl5 the element would have been inserted, with 32bit the hash table would not have been extended and the load factor would increase, the collisions and performance would decrease. On 64bit the hash table would have beed increased, but the elements would collide on the last element, leading to the same problems, just more dramatic.</p>
</li>
</ul>
<h1 id="Acknowledgements">Acknowledgements</h1>
<p>cperl 5.24.1 represents approximately 3 months of development since cperl 5.24.0c and contains approximately 15,000 lines of changes across 250 files from 11 authors.</p>
<p>Excluding auto-generated files, documentation and release tools, there were approximately 4,900 lines of changes to 130 .pm, .t, .c and .h files.</p>
<p>Perl continues to flourish into its third decade thanks to a vibrant community of users and developers. The following people are known to have contributed the improvements that became cperl 5.24.1c:</p>
<p>Reini Urban, Father Chrysostomos, David Mitchell, Daniel Dragan, Tony Cook, Lukas Mai, Yves Orton, Aristotle Pagaltzis, Misty De Meo, Karl Williamson, James Raspass, Nicholas Rochelemange.</p>
<p>The list above is almost certainly incomplete as it is automatically generated from version control history. In particular, it does not include the names of the (very much appreciated) contributors who reported issues to the cperl issue tracker.</p>
<p>Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community for helping Perl to flourish.</p>
<p>For a more complete list of all of Perl's historical contributors, please see the <i>AUTHORS</i> file in the Perl source distribution.</p>
<h1 id="Reporting-Bugs">Reporting Bugs</h1>
<p>If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at https://rt.perl.org/ . There may also be information at http://www.perl.org/ , the Perl Home Page.</p>
<p>If you believe you have an unreported bug, please run the <a>cperlbug</a> program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of <code>perl -V</code>, will be sent off to [email protected] to be analysed by the Perl porting team.</p>
<p>If you think it's a cperl specific bug or trust the cperl developers more please file an issue at <a href="https://github.com/perl11/cperl/issues">https://github.com/perl11/cperl/issues</a>.</p>
<p>If the bug you are reporting has security implications which make it inappropriate to send to a publicly archived mailing list, then see <a href="/cperl/perlsec.html#SECURITY-VULNERABILITY-CONTACT-INFORMATION">"SECURITY VULNERABILITY CONTACT INFORMATION" in perlsec</a> for details of how to report the issue.</p>
<h1 id="SEE-ALSO">SEE ALSO</h1>
<p>The <i>Changes</i> file for an explanation of how to view exhaustive details on what changed.</p>
<p>The <i>INSTALL</i> file for how to build Perl.</p>
<p>The <i>README</i> file for general stuff.</p>
<p>The <i>Artistic</i> and <i>Copying</i> files for copyright information.</p>
</body>
</html>