From owner-freebsd-security@FreeBSD.ORG Fri Mar 15 13:40:27 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A55E2564 for ; Fri, 15 Mar 2013 13:40:27 +0000 (UTC) (envelope-from freebsd@tern.ru) Received: from ns.tern.ru (ns.tern.ru [89.175.165.150]) by mx1.freebsd.org (Postfix) with ESMTP id 17CC3A6 for ; Fri, 15 Mar 2013 13:40:26 +0000 (UTC) Received: from mail.tern.ru (mail.tern.ru [192.168.1.140]) by ns.tern.ru (X/X) with ESMTP id r2FDUNI2016233 for ; Fri, 15 Mar 2013 17:30:23 +0400 (MSK) Received: from mail.tern.ru (root@localhost) by mail.tern.ru (X/X) with SMTP id r2FDUNnx004943 for ; Fri, 15 Mar 2013 17:30:23 +0400 (MSK) Received: from localhost (snork.tern.ru [192.168.1.133]) by mail.tern.ru (X/X) with ESMTP id r2FDULZ5004938; Fri, 15 Mar 2013 17:30:22 +0400 (MSK) Date: Fri, 15 Mar 2013 17:30:20 +0400 From: freebsd@tern.ru Organization: Tern X-Priority: 3 (Normal) Message-ID: <1472823038.20130315173020@tern.ru> To: freebsd-security@freebsd.org Subject: old perl vulnerabilitiy MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2013 13:40:27 -0000 Hello Freebsd-security, I've got portaudit alarm on perl-5.8.9_7 with regard to perl -- denial of service via algorithmic complexity attack on hashing routines. Reference: http://portaudit.FreeBSD.org/68c1f75b-8824-11e2-9996-c48508086173.html But on the other server I have perl-threaded-5.8.9_7 and portaudit thinks that it is OK (no problem) Is it correct? It seems to me that threaded perl also should have the same problem. Please advise. PS. I know that it is old and "unsupported" but I don't want to upgrade without serious reason. And, any way, the "behavior" of portaudit seems to me not correct. With best regards, Alexandre Krasnov. From owner-freebsd-security@FreeBSD.ORG Fri Mar 15 13:55:05 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B88D3E37 for ; Fri, 15 Mar 2013 13:55:05 +0000 (UTC) (envelope-from zi@FreeBSD.org) Received: from exodus.zi0r.com (exodus.zi0r.com [71.245.171.203]) by mx1.freebsd.org (Postfix) with ESMTP id 911341EE for ; Fri, 15 Mar 2013 13:55:05 +0000 (UTC) Received: from exodus.zi0r.com (localhost [127.0.0.1]) by exodus.zi0r.com (Postfix) with ESMTP id 0C1563E744; Fri, 15 Mar 2013 09:54:58 -0400 (EDT) X-Virus-Scanned: amavisd-new at zi0r.com Received: from exodus.zi0r.com ([127.0.0.1]) by exodus.zi0r.com (exodus.zi0r.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 6gDZ0Yv8XGEF; Fri, 15 Mar 2013 09:54:56 -0400 (EDT) Received: from exodus.zi0r.com (syn.zi0r.com [71.245.171.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by exodus.zi0r.com (Postfix) with ESMTPSA id B50623E73E; Fri, 15 Mar 2013 09:54:56 -0400 (EDT) Date: Fri, 15 Mar 2013 09:54:55 -0400 From: Ryan Steinmetz To: freebsd@tern.ru Subject: Re: old perl vulnerabilitiy Message-ID: <20130315135454.GA41210@exodus.zi0r.com> References: <1472823038.20130315173020@tern.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <1472823038.20130315173020@tern.ru> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2013 13:55:05 -0000 On (03/15/13 17:30), freebsd@tern.ru wrote: >Hello Freebsd-security, > >I've got portaudit alarm on perl-5.8.9_7 with regard to > >perl -- denial of service via algorithmic complexity attack on hashing routines. >Reference: http://portaudit.FreeBSD.org/68c1f75b-8824-11e2-9996-c48508086173.html > >But on the other server I have perl-threaded-5.8.9_7 >and portaudit thinks that it is OK (no problem) > >Is it correct? >It seems to me that threaded perl also should have the same problem. > It does have the same issue. I've corrected the VuXML entry and you should see updated portaudit results within 30 minutes. Your 5.8.9 perl-threaded installation should also show up as vulnerable to the same issue. Thanks! -r >Please advise. > >PS. I know that it is old and "unsupported" but I don't want to > upgrade without serious reason. And, any way, the "behavior" of > portaudit seems to me not correct. > > >With best regards, >Alexandre Krasnov. > > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Ryan Steinmetz PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2 From owner-freebsd-security@FreeBSD.ORG Fri Mar 15 14:02:10 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B221F539 for ; Fri, 15 Mar 2013 14:02:10 +0000 (UTC) (envelope-from moto@kawasaki3.org) Received: from kawasaki3.org (blackpearl.kawasaki3.org [173.230.157.78]) by mx1.freebsd.org (Postfix) with ESMTP id A30B829C for ; Fri, 15 Mar 2013 14:02:10 +0000 (UTC) Received: from localhost (s253.HtokyoFL10.vectant.ne.jp [222.228.92.253]) (Authenticated sender: moto) by kawasaki3.org (Postfix) with ESMTPSA id 9D0241CFFD; Fri, 15 Mar 2013 09:56:11 -0400 (EDT) Date: Fri, 15 Mar 2013 22:55:49 +0900 (JST) Message-Id: <20130315.225549.418353022350756440.moto@kawasaki3.org> To: freebsd@tern.ru Subject: Re: old perl vulnerabilitiy From: moto kawasaki In-Reply-To: <1472823038.20130315173020@tern.ru> References: <1472823038.20130315173020@tern.ru> X-Mailer: Mew version 6.5 on Emacs 24.3.50 / Mule 6.0 (HANACHIRUSATO) X-Face: )._4~w!_D$r6qNS0+; nS|]WNeI4f3o)QnH[ItB[esXuc$~hQ$.,?}$SnLe/[24Hao%^q/Is 'SJtZe#21h;7z;q+iyj[^%7\46.Gg-t7.px<}L-f_:P+6i4-a{DIL[ Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Mar 2013 14:02:10 -0000 Hi, Did you try "portaudit -Fda", which downloads the newest portaudit database. portaudit downloads it once a couple of days by default, if my memory is still working. So, it could be your first node happens to download database today, but not the other node. Thank you! -- moto kawasaki From: freebsd@tern.ru To: freebsd-security@freebsd.org Subject: old perl vulnerabilitiy Date:Fri, 15 Mar 2013 17:30:20 +0400 Message-ID: <1472823038.20130315173020@tern.ru> freebsd> Hello Freebsd-security, freebsd> freebsd> I've got portaudit alarm on perl-5.8.9_7 with regard to freebsd> freebsd> perl -- denial of service via algorithmic complexity attack on hashing routines. freebsd> Reference: http://portaudit.FreeBSD.org/68c1f75b-8824-11e2-9996-c48508086173.html freebsd> freebsd> But on the other server I have perl-threaded-5.8.9_7 freebsd> and portaudit thinks that it is OK (no problem) freebsd> freebsd> Is it correct? freebsd> It seems to me that threaded perl also should have the same problem. freebsd> freebsd> Please advise. freebsd> freebsd> PS. I know that it is old and "unsupported" but I don't want to freebsd> upgrade without serious reason. And, any way, the "behavior" of freebsd> portaudit seems to me not correct. freebsd> freebsd> freebsd> With best regards, freebsd> Alexandre Krasnov. freebsd> freebsd> freebsd> _______________________________________________ freebsd> freebsd-security@freebsd.org mailing list freebsd> http://lists.freebsd.org/mailman/listinfo/freebsd-security freebsd> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"