| Package | perl |
|---|---|
| Version | 5.24.1-3+deb9u9 (stretch), 5.28.1-6+deb10u3 (buster) |
| Related CVEs | CVE-2025-40909 |
Vincent Lefèvre discovered that, in the Perl programming language, at thread creation the current directory may temporarily change in other threads, altering file accesses. Under some conditions, a local attacker may leverage this to access unauthorized data or even inject arbitrary code.
For Debian 10 buster, these problems have been fixed in version 5.28.1-6+deb10u3.
For Debian 9 stretch, these problems have been fixed in version 5.24.1-3+deb9u9.
We recommend that you upgrade your perl packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.