All updated now Leo
On 12 March 2013 04:52, Toby Wintermute <t...@wintrmute.net> wrote: > I note that while 5.16.3 is visible on CPAN, no-one seems to have > updated perl.org yet - it still offers 5.16.2 as the latest release > for download. > > On 5 March 2013 02:26, Nicholas Clark <n...@ccl4.org> wrote: >> Technically this is off topic: >> >> ----- Forwarded message from Ricardo Signes <perl....@rjbs.manxome.org> ----- >> >> Date: Mon, 4 Mar 2013 10:20:11 -0500 >> From: Ricardo Signes <perl....@rjbs.manxome.org> >> To: perl5-port...@perl.org >> Subject: CVE-2013-1667: important rehashing flaw >> User-Agent: Mutt/1.5.21 (2010-09-15) >> >> >> The following message concerns a hash-related flaw in perl 5, which has been >> assigned CVE-2013-1667. >> >> In order to prevent an algorithmic complexity attack against its hashing >> mechanism, perl will sometimes recalculate keys and redistribute the contents >> of a hash. This mechanism has made perl robust against attacks that have >> been demonstrated against other systems. >> >> Research by Yves Orton has recently uncovered a flaw in the rehashing code >> which can result in pathological behavior. This flaw could be exploited to >> carry out a denial of service attack against code that uses arbitrary user >> input as hash keys. >> >> Because using user-provided strings as hash keys is a very common operation, >> we >> urge users of perl to update their perl executable as soon as possible. >> Updates to address this issue have bene pushed to main-5.8, maint-5.10, >> maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were >> informed >> of this problem two weeks ago and are expected to be shipping updates today >> (or >> otherwise very soon). >> >> bleadperl is not affected. >> >> This issues affects all production versions of perl from 5.8.2 to 5.16.x. It >> does not affect the upcoming perl 5.18. >> >> This issue has been assigned the identifier CVE-2013-1667. >> >> In the next few weeks, expect to see a more detailed post from researcher >> Yves >> Orton or me. >> >> -- >> rjbs >> >> >> >> ----- End forwarded message ----- >> >> >> You will be wanting to be sure that this one is patched, either by your >> vendor, or locally if you maintain your own build. The fix is under 40 lines, >> most of which is *deleting* code and comments. >> >> If you know how to attack it, the results are pretty ugly, and pretty much >> impossible to mitigate in user code. Right now, we don't think that anyone >> *else* knows how to do it. You're only safe from DOS as long as this remains >> the case. >> >> Nicholas Clark > > > > -- > Turning and turning in the widening gyre > The falcon cannot hear the falconer > Things fall apart; the center cannot hold > Mere anarchy is loosed upon the world