Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Re^9: 5.18.0 is available NOW!

by demerphq (Chancellor)
on May 22, 2013 at 10:13 UTC ( #1034714=note: print w/replies, xml ) Need Help??


in reply to Re^8: 5.18.0 is available NOW!
in thread 5.18.0 is available NOW!

It turns out that vendors are slow in providing updates. We did a survey and there were too many vulnerable systems to release the details of the attack. Once we feel most of the affected systems are patched we will release more details. This process is called "responsible disclosure".

Also, based upon the scant information I have been able to glean -- and a lot of unfortunately necessary supposition -- it seems likely that any one of several one-line patches might serve to totally mitigate the possibility of CVE-2013-1667.

The patches mitigating CVE-2013-1667 are all public. The patches which changed Perls hash implementation are all public. The only code which is not public is the code which demonstrates a key-discovery attack on perls old hash function, and the key generator code to produce an attack key set for CVE-2013-1667.

Please stop posting FUD about this issue. You do not know what you are talking about, and everybody reading this thread should know it.

---
$world=~s/war/peace/g

Replies are listed 'Best First'.
Re^10: 5.18.0 is available NOW!
by BrowserUk (Pope) on May 22, 2013 at 10:36 UTC
    This process is called "responsible disclosure".

    That can lead to "a feeling of false security."

    The patches mitigating CVE-2013-1667 are all public.

    The patches are public; but whether they actually address the perceived problem -- nor even if the perceived problem is actually a problem -- cannot be determined without knowing what the problem is.

    The only code which is not public is the code which demonstrates a key-discovery attack on perls old hash function,

    Easily reproduced with a 20 line script. It is running now:

    C:\test\ACA>acaorg.pl ffffffff9e18a6c0 : 4239443806 ffffffff9e125b4a : 0 ffffffff6b7df080 : 1779721366 ffffffff6b70c590 : 0 fffffffe3ce11140 : 910530016 fffffffe3cdeeb65 : 0 fffffffe306bfb00 : 1611835061 fffffffe3068d669 : 0 fffffffe2433edc0 : 4138893306 fffffffe2424e54f : 0 fffffffd42101540 : 859828120 fffffffd4208b306 : 0 fffffffc946f3b00 : 3818104431 fffffffc946a41f9 : 0 fffffffc74d81280 : 136820829 fffffffc74cf4fda : 0 fffffffc5358a200 : 3579781500 fffffffc53498ab5 : 0 fffffffc3bfb3000 : 3954332110 fffffffc3bf13ea0 : 0 fffffffc1b0513c0 : 3628689861 fffffffc1afb954d : 0 fffffffbe2283140 : 2595609187 fffffffbe21d75fc : 0 fffffffa1f5df880 : 1843139145 fffffffa1f5da785 : 0 fffffff9aeb6dc00 : 1542994541 fffffff9aeb43499 : 0 fffffff37d875d40 : 32872931 fffffff37d805214 : 0 fffffff2906be6c0 : 185662415 fffffff29062e505 : 0 fffffff0ed75df80 : 2700779586 fffffff0ed6c3df9 : 0 ffffffebb2436680 : 3189906622 ffffffebb238e16e : 0 ffffffeba22b8700 : 1310410987 ffffffeba226ec28 : 0 ffffffeaead37e00 : 3625920016 ffffffeaead35785 : 0 ffffffeac9358900 : 2393602125 ffffffeac92fc165 : 0 ffffffeab111b9c0 : 369131293 ffffffeab102c84f : 0 ffffffea0f1f9880 : 2519556133 ffffffea0f1e03c3 : 0 ffffffe33550fc80 : 1663884228 ffffffe335462eab : 0 ffffffdf8e0f53c0 : 365009925 ffffffdf8e01ec78 : 0 ffffffdf8a10fd00 : 1643510682 ffffffdf8a05ef7c : 0 ffffffdf76d06640 : 4167007409 ffffffdf76cbc05d : 0 ffffffdf6ea5f200 : 708933268 ffffffdf6ea3d955 : 0 ffffffdf6a1e4700 : 259152129 ffffffdf6a17cd59 : 0 ffffffda20145dc0 : 1010735616 ffffffda200ecfa8 : 0 ffffffda01439280 : 3003550292 ffffffda01407fca : 0 ffffffd6ca1fb200 : 1340458493 ffffffd6ca13cba8 : 0 ffffffd6c6309d80 : 146205514 ffffffd6c62950ac : 0 ffffffd60de47080 : 2347657043 ffffffd60ddee3ea : 0 ffffffd49b178340 : 2926855563 ffffffd49b106f2e : 0 ffffffd452508800 : 4106455009 ffffffd4524c74e8 : 0 ffffffd2413442c0 : 1672645870 ffffffd24134317d : 0 ffffffd23dddc4c0 : 1130186208 ffffffd23dd2ce81 : 0 ffffffd22113c600 : 715132221 ffffffd22107195d : 0 ffffffc3c48b2580 : 2954004226 ffffffc3c47ec9a7 : 0 ffffffc3c07d8c80 : 2379036288 ffffffc3c0704eab : 0 ffffffc0a1313000 : 476339637 ffffffc0a12329f4 : 0 ffffffbe7514af80 : 2160224410 ffffffbe7512b3a8 : 0 ffffffbe410bc340 : 372065889 ffffffbe410838ac : 0 ffffffbcee7dd740 : 1779644049 ffffffbcee78fdb6 : 0 ffffffb889372980 : 1539663863 ffffffb8892921f4 : 0 ffffffb8757c80c0 : 479680247 ffffffb8757198e8 : 0 ffffffb84e443840 : 2250928234 ffffffb84e39932e : 0 ffffffb84a5523c0 : 3478961441 ffffffb84a4d1032 : 0 ffffffb82b939ac0 : 4234041997 ffffffb82b8a2754 : 0 ffffffb6ebf9fa40 : 2595974984 ffffffb6ebeb29ca : 0 ffffffb672eb6080 : 2575639946 ffffffb672df23d2 : 0 ffffffb6590d1000 : 1016509299 ffffffb6590230ac : 0 ffffffb2eccd9ac0 : 2124353155 ffffffb2ecc8ad81 : 0 ffffffb2e0b41200 : 2010439422 ffffffb2e0ab127d : 0 ffffffb2b7dfccc0 : 2838986815
    You do not know what you are talking about

    Actually, I do. As you will find out.


    With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.

      The patches are public; but whether they actually address the perceived problem -- nor even if the perceived problem is actually a problem -- cannot be determined without knowing what the problem is.

      Actually, I do. As you will find out.

      I look forward to reading your patch. But I find it hard to reconcile your two statements. On one hand you admit you don't know what the problem is, yet on the other you assert you know what you are talking about. Both can't be right. IMO if you understand the patches you should be able to figure out the attack and recreate it.

      ---
      $world=~s/war/peace/g

        I look forward to reading your patch.

        I didn't offer one.

        On one hand you admit you don't know what the problem is, yet on the other you assert you know what you are talking about. Both can't be right.

        Of course they can. (Look back for the phrase "unfortunately necessary supposition".)

        if you understand the patches

        Bingo!

        But that only tells us the problem that you feel needs addressing and how you've chosen to tackle it.

        It doesn't tell us how you think that scenario might come about; nor what other solutions have been considered.

        But enough! We've descended below what is apparently the justifiable cut-off for the depth of a discussion (>10), and all we are doing is talking at each other, so let's stop here and see what time will tell us.


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1034714]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (6)
As of 2020-10-27 13:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My favourite web site is:












    Results (256 votes). Check out past polls.

    Notices?