It turns out that vendors are slow in providing updates. We did a survey and there were too many vulnerable systems to release the details of the attack. Once we feel most of the affected systems are patched we will release more details. This process is called "responsible disclosure".
Also, based upon the scant information I have been able to glean -- and a lot of unfortunately necessary supposition -- it seems likely that any one of several one-line patches might serve to totally mitigate the possibility of CVE-2013-1667.
The patches mitigating CVE-2013-1667 are all public. The patches which changed Perls hash implementation are all public. The only code which is not public is the code which demonstrates a key-discovery attack on perls old hash function, and the key generator code to produce an attack key set for CVE-2013-1667.
Please stop posting FUD about this issue. You do not know what you are talking about, and everybody reading this thread should know it.
|Replies are listed 'Best First'.|
Re^10: 5.18.0 is available NOW!
by BrowserUk (Pope) on May 22, 2013 at 10:36 UTC