From Mageia wiki
Revision as of 01:45, 16 March 2013 by Dmorgan (talk | contribs) (Created page with "== MGASA-2013-0094 == {| |'''Date:''' |March 15rd, 2013 |- |'''Affected releases:''' |2 |- |'''Media:''' |Core |} '''Description:'''<br/> <br/> In order to prevent an algorith...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

MGASA-2013-0094

Date: March 15rd, 2013
Affected releases: 2
Media: Core


Description:

In order to prevent an algorithmic complexity attack against its hashing
mechanism, perl will sometimes recalculate keys and redistribute the contents
of a hash. This mechanism has made perl robust against attacks that have
been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code
which can result in pathological behavior. This flaw could be exploited to
carry out a denial of service attack against code that uses arbitrary user
input as hash keys.

Because using user-provided strings as hash keys is a very common operation, we
urge users of perl to update their perl executable as soon as possible.
Updates to address this issue have bene pushed to main-5.8, maint-5.10,
maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed
of this problem two weeks ago and are expected to be shipping updates today (or
otherwise very soon).


Updated Packages:
i586:
perl-devel-5.14.2-8.3.mga2.i586
perl-base-5.14.2-8.3.mga2.i586
perl-5.14.2-8.3.mga2.i586
perl-doc-5.14.2-8.3.mga2.noarch

x86_64:
perl-base-5.14.2-8.3.mga2.x86_64
perl-devel-5.14.2-8.3.mga2.x86_64
perl-doc-5.14.2-8.3.mga2.noarch
perl-5.14.2-8.3.mga2.x86_64

SRPMS:
perl-5.14.2-8.3.mga2

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667
http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html
https://bugs.mageia.org/show_bug.cgi?id=9331