|Date:||March 15rd, 2013|
In order to prevent an algorithmic complexity attack against its hashing
mechanism, perl will sometimes recalculate keys and redistribute the contents
of a hash. This mechanism has made perl robust against attacks that have
been demonstrated against other systems.
Research by Yves Orton has recently uncovered a flaw in the rehashing code
which can result in pathological behavior. This flaw could be exploited to
carry out a denial of service attack against code that uses arbitrary user
input as hash keys.
Because using user-provided strings as hash keys is a very common operation, we
urge users of perl to update their perl executable as soon as possible.
Updates to address this issue have bene pushed to main-5.8, maint-5.10,
maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed
of this problem two weeks ago and are expected to be shipping updates today (or
otherwise very soon).