[rt-devel] [rt-announce] Security vulnerability in Perl

Alex Vandiver alexmv at bestpractical.com
Tue Mar 5 13:32:40 EST 2013


This is a notification of a security vulnerability, not of RT, but of
perl itself.  That vulnerability, CVE-2013-1667, affects all production
versions of perl from 5.8.2 to 5.16.x.

From perl5-porters:

    In order to prevent an algorithmic complexity attack against its
    hashing mechanism, perl will sometimes recalculate keys and
    redistribute the contents of a hash.  This mechanism has made perl
    robust against attacks that have been demonstrated against other
    systems.

    Research by Yves Orton has recently uncovered a flaw in the
    rehashing code which can result in pathological behavior.  This flaw
    could be exploited to carry out a denial of service attack against
    code that uses arbitrary user input as hash keys.

  ( http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html )


Vendors, including RedHat, Debian, and Ubuntu, were informed of this
problem two weeks ago and are expected to be shipping updated versions
of their perl packages shortly.  We encourage you to take these updates
as soon as they are available.

We are aware that taking updated versions of some vendor perl packages
(particularly with older releases of RedHat) may downgrade some modules
that RT requires to run, causing breakages when RT is restarted.  This
is particularly known to be an issue with Scalar::Util, Sys::Syslog, and
File::Temp.
  For this reason, we suggest re-running rt-test-dependencies after you
upgrade perl, to ensure that this has not occured.  You can do this via
running /opt/rt4/bin/rt-test-dependencies, and passing it one
of --with-mysql, --with-pg, or --with-oracle, as well as --with-fastcgi
or --with-modperl2 as suits your current deployment.  If unmet
dependencies are found, you should immediately upgrade them; this can be
done by re-running rt-test-dependencies with the additional --install
option.


The vendor upgrades of perl may not be sufficient if you are running a
locally-compiled version of perl.  You can determine if this is the case
by examining the first line of /opt/rt4/bin/rt (or /opt/rt3/bin/rt).  If
that line contains:

    #!/usr/bin/perl

...then you are running the vendor-supplied version of perl, and need
take no further steps.  Otherwise, you will need to upgrade your locally
installed perl, or re-install it after applying security patches.
Updated versions of 5.14.x and 5.16.x will be released within the week;
we recommend upgrading to those.


If you need help resolving this issue, please contact us at
sales at bestpractical.com for more information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20130305/34a699a4/attachment.pgp>
-------------- next part --------------
_______________________________________________
rt-announce mailing list
rt-announce at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce


More information about the rt-devel mailing list