Provided by: perl-doc_5.40.0-8_all bug

NAME

       perl5223delta - what is new for perl v5.22.3

DESCRIPTION

       This document describes differences between the 5.22.2 release and the 5.22.3 release.

       If you are upgrading from an earlier release such as 5.22.1, first read perl5222delta,
       which describes differences between 5.22.1 and 5.22.2.

Security

   -Di switch is now required for PerlIO debugging output
       Previously PerlIO debugging output would be sent to the file specified by the
       "PERLIO_DEBUG" environment variable if perl wasn't running setuid and the -T or -t
       switches hadn't been parsed yet.

       If perl performed output at a point where it hadn't yet parsed its switches this could
       result in perl creating or overwriting the file named by "PERLIO_DEBUG" even when the -T
       switch had been supplied.

       Perl now requires the -Di switch to produce PerlIO debugging output.  By default this is
       written to "stderr", but can optionally be redirected to a file by setting the
       "PERLIO_DEBUG" environment variable.

       If perl is running setuid or the -T switch was supplied "PERLIO_DEBUG" is ignored and the
       debugging output is sent to "stderr" as for any other -D switch.

   Core modules and tools no longer search "." for optional modules
       The tools and many modules supplied in core no longer search the default current directory
       entry in @INC for optional modules.  For example, Storable will remove the final "." from
       @INC before trying to load Log::Agent.

       This prevents an attacker injecting an optional module into a process run by another user
       where the current directory is writable by the attacker, e.g. the /tmp directory.

       In most cases this removal should not cause problems, but difficulties were encountered
       with base, which treats every module name supplied as optional.  These difficulties have
       not yet been resolved, so for this release there are no changes to base.  We hope to have
       a fix for base in Perl 5.22.4.

       To protect your own code from this attack, either remove the default "."  entry from @INC
       at the start of your script, so:

         #!/usr/bin/perl
         use strict;
         ...

       becomes:

         #!/usr/bin/perl
         BEGIN { pop @INC if $INC[-1] eq '.' }
         use strict;
         ...

       or for modules, remove "." from a localized @INC, so:

         my $can_foo = eval { require Foo; }

       becomes:

         my $can_foo = eval {
             local @INC = @INC;
             pop @INC if $INC[-1] eq '.';
             require Foo;
         };

Incompatible Changes

       Other than the security changes above there are no changes intentionally incompatible with
       Perl 5.22.2.  If any exist, they are bugs, and we request that you submit a report.  See
       "Reporting Bugs" below.

Modules and Pragmata

   Updated Modules and Pragmata
       •   Archive::Tar has been upgraded from version 2.04 to 2.04_01.

       •   bignum has been upgraded from version 0.39 to 0.39_01.

       •   CPAN has been upgraded from version 2.11 to 2.11_01.

       •   Digest has been upgraded from version 1.17 to 1.17_01.

       •   Digest::SHA has been upgraded from version 5.95 to 5.95_01.

       •   Encode has been upgraded from version 2.72 to 2.72_01.

       •   ExtUtils::Command has been upgraded from version 1.20 to 1.20_01.

       •   ExtUtils::MakeMaker has been upgraded from version 7.04_01 to 7.04_02.

       •   File::Fetch has been upgraded from version 0.48 to 0.48_01.

       •   File::Spec has been upgraded from version 3.56_01 to 3.56_02.

       •   HTTP::Tiny has been upgraded from version 0.054 to 0.054_01.

       •   IO has been upgraded from version 1.35 to 1.35_01.

       •   The IO-Compress modules have been upgraded from version 2.068 to 2.068_001.

       •   IPC::Cmd has been upgraded from version 0.92 to 0.92_01.

       •   JSON::PP has been upgraded from version 2.27300 to 2.27300_01.

       •   Locale::Maketext has been upgraded from version 1.26 to 1.26_01.

       •   Locale::Maketext::Simple has been upgraded from version 0.21 to 0.21_01.

       •   Memoize has been upgraded from version 1.03 to 1.03_01.

       •   Module::CoreList has been upgraded from version 5.20160429 to 5.20170114_22.

       •   Net::Ping has been upgraded from version 2.43 to 2.43_01.

       •   Parse::CPAN::Meta has been upgraded from version 1.4414 to 1.4414_001.

       •   Pod::Html has been upgraded from version 1.22 to 1.2201.

       •   Pod::Perldoc has been upgraded from version 3.25 to 3.25_01.

       •   Storable has been upgraded from version 2.53_01 to 2.53_02.

       •   Sys::Syslog has been upgraded from version 0.33 to 0.33_01.

       •   Test has been upgraded from version 1.26 to 1.26_01.

       •   Test::Harness has been upgraded from version 3.35 to 3.35_01.

       •   XSLoader has been upgraded from version 0.20 to 0.20_01, fixing a security hole in
           which binary files could be loaded from a path outside of @INC.  [GH #15418]
           <https://github.com/Perl/perl5/issues/15418>

Documentation

   Changes to Existing Documentation
       perlapio

       •   The documentation of "PERLIO_DEBUG" has been updated.

       perlrun

       •   The new -Di switch has been documented, and the documentation of "PERLIO_DEBUG" has
           been updated.

Testing

       •   A new test script, t/run/switchDx.t, has been added to test that the new -Di switch is
           working correctly.

Selected Bug Fixes

       •   The "PadlistNAMES" macro is an lvalue again.

Acknowledgements

       Perl 5.22.3 represents approximately 9 months of development since Perl 5.22.2 and
       contains approximately 4,400 lines of changes across 240 files from 20 authors.

       Excluding auto-generated files, documentation and release tools, there were approximately
       2,200 lines of changes to 170 .pm, .t, .c and .h files.

       Perl continues to flourish into its third decade thanks to a vibrant community of users
       and developers.  The following people are known to have contributed the improvements that
       became Perl 5.22.3:

       Aaron Crane, Abigail, Alex Vandiver, Aristotle Pagaltzis, Chad Granum, Chris 'BinGOs'
       Williams, Craig A. Berry, David Mitchell, Father Chrysostomos, James E Keenan, Jarkko
       Hietaniemi, Karen Etheridge, Karl Williamson, Matthew Horsfall, Niko Tyni, Ricardo Signes,
       Sawyer X, Stevan Little, Steve Hay, Tony Cook.

       The list above is almost certainly incomplete as it is automatically generated from
       version control history.  In particular, it does not include the names of the (very much
       appreciated) contributors who reported issues to the Perl bug tracker.

       Many of the changes included in this version originated in the CPAN modules included in
       Perl's core.  We're grateful to the entire CPAN community for helping Perl to flourish.

       For a more complete list of all of Perl's historical contributors, please see the AUTHORS
       file in the Perl source distribution.

Reporting Bugs

       If you find what you think is a bug, you might check the articles recently posted to the
       comp.lang.perl.misc newsgroup and the Perl bug database at https://rt.perl.org/ .  There
       may also be information at http://www.perl.org/ , the Perl Home Page.

       If you believe you have an unreported bug, please run the perlbug program included with
       your release.  Be sure to trim your bug down to a tiny but sufficient test case.  Your bug
       report, along with the output of "perl -V", will be sent off to perlbug@perl.org to be
       analysed by the Perl porting team.

       If the bug you are reporting has security implications, which make it inappropriate to
       send to a publicly archived mailing list, then please send it to
       perl5-security-report@perl.org.  This points to a closed subscription unarchived mailing
       list, which includes all the core committers, who will be able to help assess the impact
       of issues, figure out a resolution, and help co-ordinate the release of patches to
       mitigate or fix the problem across all platforms on which Perl is supported.  Please only
       use this address for security issues in the Perl core, not for modules independently
       distributed on CPAN.

SEE ALSO

       The Changes file for an explanation of how to view exhaustive details on what changed.

       The INSTALL file for how to build Perl.

       The README file for general stuff.

       The Artistic and Copying files for copyright information.