Sep 262014

The Shellshock bug affects the Bash shell.

Though Perl it self is not directly affected, some web servers (such as Apache) that run Perl are, additional if Perl shells out: system(), backticks, qx etc, that may then instantiate bash which would be a potential attack vector.

Perl tricks has a good write up.

Your best protection is upgrading Bash on your operating system as soon as patches are available, or switching all accounts to an alternative shell (such as ‘sh’, or ‘zsh’) until there is.

Be aware there were 2 releases of bash to fix this, as the first was not complete.

Mar 042013

The following message concerns a hash-related flaw in perl 5

This issue affects all production versions of perl from 5.8.2 to 5.16.x. It does not affect the upcoming perl 5.18.

In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash.  This mechanism has made perl robust against attacks that have been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior.  This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys.

Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible.

Updates to address this issue have been pushed to maint-5.8, maint-5.10maint-5.12, maint-5.14, and maint-5.16 branches today, perl 5.14.4 and 5.16.3 will be released soon, including these fixes. There is no plan to make a new release of any other version.

Vendors* were informed of this problem two weeks ago and are expected to be shipping updates today (or otherwise very soon).

bleadperl is not affected.

This issue has been assigned the identifier CVE-2013-1667.