MGASA-2013-0094
Date: | March 15rd, 2013 |
Affected releases: | 2 |
Media: | Core |
Description:
In order to prevent an algorithmic complexity attack against its hashing
mechanism, perl will sometimes recalculate keys and redistribute the contents
of a hash. This mechanism has made perl robust against attacks that have
been demonstrated against other systems.
Research by Yves Orton has recently uncovered a flaw in the rehashing code
which can result in pathological behavior. This flaw could be exploited to
carry out a denial of service attack against code that uses arbitrary user
input as hash keys.
Because using user-provided strings as hash keys is a very common operation, we
urge users of perl to update their perl executable as soon as possible.
Updates to address this issue have bene pushed to main-5.8, maint-5.10,
maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed
of this problem two weeks ago and are expected to be shipping updates today (or
otherwise very soon).
Updated Packages:
i586:
perl-devel-5.14.2-8.3.mga2.i586
perl-base-5.14.2-8.3.mga2.i586
perl-5.14.2-8.3.mga2.i586
perl-doc-5.14.2-8.3.mga2.noarch
x86_64:
perl-base-5.14.2-8.3.mga2.x86_64
perl-devel-5.14.2-8.3.mga2.x86_64
perl-doc-5.14.2-8.3.mga2.noarch
perl-5.14.2-8.3.mga2.x86_64
SRPMS:
perl-5.14.2-8.3.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667
http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html
https://bugs.mageia.org/show_bug.cgi?id=9331