Import perl5263delta.pod and perl5281delta.pod

1 files changed, 201 insertions, 0 deletions

diff --git a/pod/perl5263delta.pod b/pod/perl5263delta.pod
new file mode 100644
index 0000000000..43ec1f45a6
--- /dev/null
+++ b/pod/perl5263delta.pod
@@ -0,0 +1,201 @@
+=encoding utf8
+
+=head1 NAME
+
+perl5263delta - what is new for perl v5.26.3
+
+=head1 DESCRIPTION
+
+This document describes differences between the 5.26.2 release and the 5.26.3
+release.
+
+If you are upgrading from an earlier release such as 5.26.1, first read
+L<perl5262delta>, which describes differences between 5.26.1 and 5.26.2.
+
+=head1 Security
+
+=head2 [CVE-2018-12015] Directory traversal in module Archive::Tar
+
+By default, L<Archive::Tar> doesn't allow extracting files outside the current
+working directory.  However, this secure extraction mode could be bypassed by
+putting a symlink and a regular file with the same name into the tar file.
+
+L<[perl #133250]|https://rt.perl.org/Ticket/Display.html?id=133250>
+L<[cpan #125523]|https://rt.cpan.org/Ticket/Display.html?id=125523>
+
+=head2 [CVE-2018-18311] Integer overflow leading to buffer overflow and segmentation fault
+
+Integer arithmetic in C<Perl_my_setenv()> could wrap when the combined length
+of the environment variable name and value exceeded around 0x7fffffff.  This
+could lead to writing beyond the end of an allocated buffer with attacker
+supplied data.
+
+L<[perl #133204]|https://rt.perl.org/Ticket/Display.html?id=133204>
+
+=head2 [CVE-2018-18312] Heap-buffer-overflow write in S_regatom (regcomp.c)
+
+A crafted regular expression could cause heap-buffer-overflow write during
+compilation, potentially allowing arbitrary code execution.
+
+L<[perl #133423]|https://rt.perl.org/Ticket/Display.html?id=133423>
+
+=head2 [CVE-2018-18313] Heap-buffer-overflow read in S_grok_bslash_N (regcomp.c)
+
+A crafted regular expression could cause heap-buffer-overflow read during
+compilation, potentially leading to sensitive information being leaked.
+
+L<[perl #133192]|https://rt.perl.org/Ticket/Display.html?id=133192>
+
+=head2 [CVE-2018-18314] Heap-buffer-overflow write in S_regatom (regcomp.c)
+
+A crafted regular expression could cause heap-buffer-overflow write during
+compilation, potentially allowing arbitrary code execution.
+
+L<[perl #131649]|https://rt.perl.org/Ticket/Display.html?id=131649>
+
+=head1 Incompatible Changes
+
+There are no changes intentionally incompatible with 5.26.2.  If any exist,
+they are bugs, and we request that you submit a report.  See
+L</Reporting Bugs> below.
+
+=head1 Modules and Pragmata
+
+=head2 Updated Modules and Pragmata
+
+=over 4
+
+=item *
+
+L<Archive::Tar> has been upgraded from version 2.24 to 2.24_01.
+
+=item *
+
+L<Module::CoreList> has been upgraded from version 5.20180414_26 to 5.20181129_26.
+
+=back
+
+=head1 Diagnostics
+
+The following additions or changes have been made to diagnostic output,
+including warnings and fatal error messages.  For the complete list of
+diagnostic messages, see L<perldiag>.
+
+=head2 New Diagnostics
+
+=head3 New Errors
+
+=over 4
+
+=item *
+
+L<Unexpected ']' with no following ')' in (?[... in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Unexpected ']' with no following ')' in (?[... in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>">
+
+(F) While parsing an extended character class a ']' character was encountered
+at a point in the definition where the only legal use of ']' is to close the
+character class definition as part of a '])', you may have forgotten the close
+paren, or otherwise confused the parser.
+
+=item *
+
+L<Expecting close paren for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Expecting close paren for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>">
+
+(F) While parsing a nested extended character class like:
+
+    (?[ ... (?flags:(?[ ... ])) ... ])
+                             ^
+
+we expected to see a close paren ')' (marked by ^) but did not.
+
+=item *
+
+L<Expecting close paren for wrapper for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Expecting close paren for wrapper for nested extended charclass in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>">
+
+(F) While parsing a nested extended character class like:
+
+    (?[ ... (?flags:(?[ ... ])) ... ])
+                              ^
+
+we expected to see a close paren ')' (marked by ^) but did not.
+
+=back
+
+=head2 Changes to Existing Diagnostics
+
+=over 4
+
+=item *
+
+L<Syntax error in (?[...]) in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>|perldiag/"Syntax error in (?[...]) in regex; marked by E<lt>-- HERE in mE<sol>%sE<sol>">
+
+This fatal error message has been slightly expanded (from "Syntax error in
+(?[...]) in regex mE<sol>%sE<sol>") for greater clarity.
+
+=back
+
+=head1 Acknowledgements
+
+Perl 5.26.3 represents approximately 8 months of development since Perl 5.26.2
+and contains approximately 4,500 lines of changes across 51 files from 15
+authors.
+
+Excluding auto-generated files, documentation and release tools, there were
+approximately 770 lines of changes to 10 .pm, .t, .c and .h files.
+
+Perl continues to flourish into its third decade thanks to a vibrant community
+of users and developers.  The following people are known to have contributed
+the improvements that became Perl 5.26.3:
+
+Aaron Crane, Abigail, Chris 'BinGOs' Williams, Dagfinn Ilmari Mannsåker, David
+Mitchell, H.Merijn Brand, James E Keenan, John SJ Anderson, Karen Etheridge,
+Karl Williamson, Sawyer X, Steve Hay, Todd Rinaldo, Tony Cook, Yves Orton.
+
+The list above is almost certainly incomplete as it is automatically generated
+from version control history.  In particular, it does not include the names of
+the (very much appreciated) contributors who reported issues to the Perl bug
+tracker.
+
+Many of the changes included in this version originated in the CPAN modules
+included in Perl's core.  We're grateful to the entire CPAN community for
+helping Perl to flourish.
+
+For a more complete list of all of Perl's historical contributors, please see
+the F<AUTHORS> file in the Perl source distribution.
+
+=head1 Reporting Bugs
+
+If you find what you think is a bug, you might check the perl bug database
+at L<https://rt.perl.org/> .  There may also be information at
+L<http://www.perl.org/> , the Perl Home Page.
+
+If you believe you have an unreported bug, please run the L<perlbug> program
+included with your release.  Be sure to trim your bug down to a tiny but
+sufficient test case.  Your bug report, along with the output of C<perl -V>,
+will be sent off to perlbug@perl.org to be analysed by the Perl porting team.
+
+If the bug you are reporting has security implications which make it
+inappropriate to send to a publicly archived mailing list, then see
+L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION>
+for details of how to report the issue.
+
+=head1 Give Thanks
+
+If you wish to thank the Perl 5 Porters for the work we had done in Perl 5,
+you can do so by running the C<perlthanks> program:
+
+    perlthanks
+
+This will send an email to the Perl 5 Porters list with your show of thanks.
+
+=head1 SEE ALSO
+
+The F<Changes> file for an explanation of how to view exhaustive details on
+what changed.
+
+The F<INSTALL> file for how to build Perl.
+
+The F<README> file for general stuff.
+
+The F<Artistic> and F<Copying> files for copyright information.
+
+=cut