A potential security vulnerability in the optional suidperl component
of Perl has been identified. suidperl is neither built nor installed
-by default. As of August the 20th, 2000, the only known vulnerable
+by default. As of September the 2nd, 2000, the only known vulnerable
platform is Linux, most likely all Linux distributions. CERT and
various vendors have been alerted about the vulnerability.
The problem was caused by Perl trying to report a suspected security
exploit attempt using an external program, /bin/mail. On Linux
-platforms the /bin/mail program had an undocumented feature which gave
-access to a root shell, resulting in a serious compromise instead of
-reporting the exploit attempt. If you don't have /bin/mail, or if you
-have 'safe setuid scripts', or if suidperl is not installed, you
-are safe.
+platforms the /bin/mail program had an undocumented feature which
+when combined with suidperl gave access to a root shell, resulting in
+a serious compromise instead of reporting the exploit attempt. If you
+don't have /bin/mail, or if you have 'safe setuid scripts', or if
+suidperl is not installed, you are safe.
The exploit attempt reporting feature has been completely removed from
the Perl 5.7.0 release, so that particular vulnerability isn't there
=item *
+A reference to a reference now stringify as "REF(0x81485ec)" instead
+of "SCALAR(0x81485ec)" in order to be more consistent with the return
+value of ref().
+
+=item *
+
The very dusty examples in the eg/ directory have been removed.
Suggestions for new shiny examples welcome but the main issue is that
the examples need to be documented, tested and (most importantly)
=item *
+The (bogus) escape sequences \8 and \9 now give an optional warning
+("Unrecognized escape passed through"). There is no need to \-escape
+any C<\w> character.
+
+=item *
+
lstat(FILEHANDLE) now gives a warning because the operation makes no sense.
In future releases this may become a fatal error.
the interface was a mistake. Sorry about that. For similar
functionality, see pack('U0', ...) and pack('C0', ...).
+=item *
+
+Although "you shouldn't do that", it was possible to write code that
+depends on Perl's hashed key order (Data::Dumper does this). The new
+algorithm "One-at-a-Time" produces a different hashed key order.
+More details are in L<perldelta/Performance Enhancements>.
+
=back
=head1 Core Enhancements
=item *
+Formats now support zero-padded decimal fields.
+
+=item *
+
C<perl -d:Module=arg,arg,arg> now works (previously one couldn't pass
in multiple arguments.)
=item *
+The printf and sprintf now support parameter reordering using the
+C<%\d+\$> and C<*\d+\$> syntaxes.
+
+=item *
+
prototype(\&) is now available.
=item *
Bug fixes and minor enhancements have been applied to B::Deparse,
Data::Dumper, IO::Poll, IO::Socket::INET, Math::BigFloat,
-Math::Complex, Math::Trig, Net::protoent, re, SelfLoader, Sys::SysLog,
-Test::Harness, Text::Wrap, UNIVERSAL.
+Math::Complex, Math::Trig, Net::protoent, the re pragma, SelfLoader,
+Sys::SysLog, Test::Harness, Text::Wrap, UNIVERSAL, and the warnings
+pragma.
=item *
use English '-no_performance_hit';
(Assuming, of course, that one doesn't need the troublesome variables
-C<$`>, C<$&>, or C<$'>.) Also, introduce C<@LAST_MATCH_START> and
+C<$`>, C<$&>, or C<$'>.) Also, introduced C<@LAST_MATCH_START> and
C<@LAST_MATCH_END> English aliases for C<@-> and C<@+>.
=item *
=item *
-The Emacs perl mode (emacs/cperl-mode.el) has been updated to version 4.31.
+The Emacs perl mode (emacs/cperl-mode.el) has been updated to version
+4.31.
=item *
-Perlbug is now much more robust. It also sends the bug report to perl.org,
-not perl.com.
+Perlbug is now much more robust. It also sends the bug report to
+perl.org, not perl.com.
=item *
sort() has been changed to use mergesort internally as opposed to the
earlier quicksort. For very small lists this may result in slightly
-slower sorting times, but in general the speedup should be at least 20%.
-Additional bonuses are that the worst case behaviour of sort() is now
-better (in computer science terms it now runs in time O(N log N), as
-opposed to quicksorts Theta(N**2) worst-case run time behaviour), and
-that sort() is now stable (meaning that elements with identical keys
-will stay ordered as they were before the sort).
+slower sorting times, but in general the speedup should be at least
+20%. Additional bonuses are that the worst case behaviour of sort()
+is now better (in computer science terms it now runs in time O(N log N),
+as opposed to quicksort's Theta(N**2) worst-case run time behaviour),
+and that sort() is now stable (meaning that elements with identical
+keys will stay ordered as they were before the sort).
+
+=item *
+
+Hashes now use Bob Jenkins "One-at-a-Time" hashing key algorithm
+(http://burtleburtle.net/bob/hash/doobs.html).
+This algorithm is reasonably fast while producing a much better spread
+of values. Hash values output from the algorithm on a hash of all
+3-char printable ASCII keys comes much closer to passing the DIEHARD
+random number generation tests. According to perlbench, this change
+has not affected the overall speed of Perl.
+
=back
=item *
-INSTALL now explains how you can configure perl to use 64-bit
+INSTALL now explains how you can configure Perl to use 64-bit
integers even on non-64-bit platforms.
=item *
-Policy.sh policy change: if you are reusing a Policy.sh file (see
-INSTALL) and you use Configure -Dprefix=/foo/bar and in the old
+Policy.sh policy change: if you are reusing a Policy.sh file
+(see INSTALL) and you use Configure -Dprefix=/foo/bar and in the old
Policy $prefix eq $siteprefix and $prefix eq $vendorprefix, all of
them will now be changed to the new prefix, /foo/bar. (Previously
only $prefix changed.) If you do not like this new behaviour,
with "fat binaries" where an executable image contains binaries for
more than one binary platform.)
+=item *
+
+Configure no longer included the DBM libraries (dbm, gdbm, db, ndbm)
+when building the Perl binary. The only exception to this is SunOS 4.x,
+which needs them.
+
=back
=head1 Selected Bug Fixes
scalar() now forces scalar context even when used in void context.
=item *
-
+
sort() arguments are now compiled in the right wantarray context
(they were accidentally using the context of the sort() itself).
BOMs (byte order marks) in the beginning of Perl files
(scripts, modules) should now be transparently skipped.
-UTF16 encoded Perl files should now be read correctly.
+UTF-16 (UCS-2) encoded Perl files should now be read correctly.
=item *
-The character tables have been updated to new Unicode 3.0 features.
+The character tables have been updated to Unicode 3.0.1.
=item *
=item *
+vec() now tries to work with characters <= 255 when possible, but it leaves
+higher character values in place. In that case, if vec() was used to modify
+the string, it is no longer considered to be utf8-encoded.
+
+=item *
+
Zero entries were missing from the Unicode classes like C<IsDigit>.
=back
=item *
Less stack reserved per thread so that more threads can run
-concurrently. (still 16M perl thread)
+concurrently. (Still 16M per thread.)
=item *
C<File::Spec->tmpdir()> now prefers C:/temp over /tmp
-(works better when perl running as service).
+(works better when perl is running as service).
=item *
=back
+=back
+
=head1 New or Changed Diagnostics
All regular expression compilation error messages are now hopefully
Building microperl does not require even running Configure;
C<make -f Makefile.micro> should be enough. Beware: microperl makes
many assumptions, some of which may be too bold; the resulting
-executable may crash or otherwise misbehave in wondrous ways. For
-careful hackers only.
+executable may crash or otherwise misbehave in wondrous ways.
+For careful hackers only.
=item *
all binaries with different ideas about file offsets, all this is
platform-dependent.
-=head2 ftmp-posix subtest 6 fails in VMS
-
-The test exposes a flushing bug in the VMS port of Perl, this failure
-as such can be ignored.
-
=head2 ftmp-security tests warn 'system possibly insecure'
Don't panic. Read INSTALL 'make test' section instead.
+=head2 Test lib/posix Subtest 9 Fails In LP64-Configured HP-UX
+
+If perl is configured with -Duse64bitall, the successful result of the
+subtest 10 of lib/posix may arrive before the successful result of the
+subtest 9, which confuses the test harness so much that it thinks the
+subtest 9 failed.
+
=head2 Long Doubles Still Don't Work In Solaris
The experimental long double support is still very much so in Solaris.
-(Other platforms like Linux and Tru64 are beginning to solidify in this area.)
+(Other platforms like Linux and Tru64 are beginning to solidify in
+this area.)
+
+=head2 Linux With Sfio Fails op/misc Test 48
+
+No known fix.
+
+=head2 sprintf tests 129 and 130
+
+The op/sprintf tests 129 and 130 are known to fail in some platforms.
+Examples include any platform using sfio, and Tandem's NonStop-UX.
+The failing platforms do not comply with the ANSI C Standard, line
+19ff on page 134 of ANSI X3.159 1989 to be exact. (They produce
+something else than "1" and "-1" when formatting 0.6 and -0.6 using
+the printf format "%.0f", most often they produce "0" and "-0".)
=head2 Storable tests fail in some platforms
+If any Storable tests fail the use of Storable is not advisable.
+
=over 4
=item *
This means that you cannot read old (pre-Storable-0.7) Storable images
made in other platforms.
+=item *
+
+st-store.t and st-retrieve may fail with Compaq C 6.2 on OpenVMS Alpha 7.2.
+
=back
+=head2 Threads Are Still Experimental
+
+Multithreading is still an experimental feature. Some platforms
+emit the following message for lib/thr5005
+
+ #
+ # This is a KNOWN FAILURE, and one of the reasons why threading
+ # is still an experimental feature. It is here to stop people
+ # from deploying threads in production. ;-)
+ #
+
+and another known thread-related warning is
+
+ pragma/overload......Unbalanced saves: 3 more saves than restores
+ panic: magic_mutexfree during global destruction.
+ ok
+ lib/selfloader.......Unbalanced saves: 3 more saves than restores
+ panic: magic_mutexfree during global destruction.
+ ok
+ lib/st-dclone........Unbalanced saves: 3 more saves than restores
+ panic: magic_mutexfree during global destruction.
+ ok
+
+=head2 The Compiler Suite Is Still Experimental
+
+The compiler suite is slowly getting better but is nowhere near
+working order yet. The backend part that has seen perhaps the most
+progress is the bytecode compiler.
+
=head1 Reporting Bugs
If you find what you think is a bug, you might check the articles
projects / p5sagit/p5-mst-13.2.git / blobdiff