2020 Y2K Effect in Perl and its effect on Pandora FMS
This post is also available in : Spanish
Perl 2020: a failure and an unexpected update of Pandora FMS
Just when we thought we had got ridden of Y2K, we came across an unexpected effect. The 2020 effect. Buried deep in the system, a basic Perl library has made any date comparison operation with the year 1970 to become 2070, starting from January 1, 2020. It may seem not important at all, but for many systems, the “beginning” of the Unix calendar begins precisely in 1970, that is, a base reference date, used in a lot of code precisely since the beginning of Unix in 1970.
This bug was detected by at least four different people during 2018 (we don’t know if any of them did so in their communities after analyzing someone else’s work):
According to the CPAN thread, the problem was fixed in version 1.27 (Perl 5.27.1), but this update was not reflected in the different Linux distributions. We have tested OpenSUSE 15, Debian 10.2 and Debian Testing (Dec 2019), Ubuntu19 and CentOS8 and they are all vulnerable to this problem.
The point is that this problem affects Linux as the base operating system, since the Time-Local library is part of the basic Perl core, and Perl is an essential part of Linux distributions.
This problem affects Pandora FMS, making it unable to create new modules. Fortunately, on a production system, it has no more consequences, but surely a few dozen users who have deployed new monitoring or installed an environment from scratch have become frustrated when trying to deploy their monitoring.
Pandora FMS team noticed the failure on the early morning of January 2nd, and we were already deploying hotfixes for our customers to solve the failure on January 3rd. Instead of recommending to patch a base library of the system, not a minor task considering the huge variety of versions of existing Linux systems and distros, we decided to change the feature used in Pandora FMS to compare dates, so instead of using the Perl timelocal() function we will use srtftime(), which does not have this problem. For this, we have generated a number of binary packages for our Enterprise customers, as well as worked to let them know the Perl bug before they can even notice it.
It’s as simple as replacing the server and restarting it. Just like your monthly Pandora FMS update. Let’s say that this time, Santa has brought us an unexpected update.
Download it now here