Perl has recently disclosed the following vulnerabilities that impact v5.30 to v5.38 of Perl.
- CVE-2023-47038 – Write past buffer end via illegal user-defined Unicode property
- CVE-2023-47039 – Perl for Windows binary hijacking vulnerability
Based on our latest risk assessment and understanding of the defect reports, no immediate action is required at this time.
- CVE-2023-47039 only affects Windows installations, so it is not relevant to cPanel installations.
- CVE-2023-47038 is only relevant during the use of \p in regexes, which our code does not use.
To ensure cPanel installs are secure, a patched Perl 5.36 will be shipped with all supported versions of cPanel within the next six weeks. Servers that are on prior versions of cPanel are encouraged to update to the latest version of cPanel.
We continue to prioritize the safety of your hosting environment. We will update this post with more information as needed.
For more information from the Perl developers on these issues please see: https://metacpan.org/release/PEVANS/perl-5.38.1/view/pod/perldelta.pod