Mar 042013

The following message concerns a hash-related flaw in perl 5

This issue affects all production versions of perl from 5.8.2 to 5.16.x. It does not affect the upcoming perl 5.18.

In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash.  This mechanism has made perl robust against attacks that have been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior.  This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys.

Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible.

Updates to address this issue have been pushed to maint-5.8, maint-5.10maint-5.12, maint-5.14, and maint-5.16 branches today, perl 5.14.4 and 5.16.3 will be released soon, including these fixes. There is no plan to make a new release of any other version.

Vendors* were informed of this problem two weeks ago and are expected to be shipping updates today (or otherwise very soon).

bleadperl is not affected.

This issue has been assigned the identifier CVE-2013-1667.