Front page | perl.perl5.porters |
Postings from March 2013
The following message concerns a hash-related flaw in perl 5, which has been assigned CVE-2013-1667. In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash. This mechanism has made perl robust against attacks that have been demonstrated against other systems. Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible. Updates to address this issue have bene pushed to main-5.8, maint-5.10, maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed of this problem two weeks ago and are expected to be shipping updates today (or otherwise very soon). bleadperl is not affected. This issues affects all production versions of perl from 5.8.2 to 5.16.x. It does not affect the upcoming perl 5.18. This issue has been assigned the identifier CVE-2013-1667. In the next few weeks, expect to see a more detailed post from researcher Yves Orton or me. -- rjbsThread Next