Hello Freebsd-security, I've got portaudit alarm on perl-5.8.9_7 with regard to perl -- denial of service via algorithmic complexity attack on hashing routines. Reference: http://portaudit.FreeBSD.org/68c1f75b-8824-11e2-9996-c48508086173.html But on the other server I have perl-threaded-5.8.9_7 and portaudit thinks that it is OK (no problem) Is it correct? It seems to me that threaded perl also should have the same problem. Please advise. PS. I know that it is old and "unsupported" but I don't want to upgrade without serious reason. And, any way, the "behavior" of portaudit seems to me not correct. With best regards, Alexandre Krasnov.
On (03/15/13 17:30), freebsd at tern.ru wrote:>Hello Freebsd-security, > >I've got portaudit alarm on perl-5.8.9_7 with regard to > >perl -- denial of service via algorithmic complexity attack on hashing routines. >Reference: http://portaudit.FreeBSD.org/68c1f75b-8824-11e2-9996-c48508086173.html > >But on the other server I have perl-threaded-5.8.9_7 >and portaudit thinks that it is OK (no problem) > >Is it correct? >It seems to me that threaded perl also should have the same problem. >It does have the same issue. I've corrected the VuXML entry and you should see updated portaudit results within 30 minutes. Your 5.8.9 perl-threaded installation should also show up as vulnerable to the same issue. Thanks! -r>Please advise. > >PS. I know that it is old and "unsupported" but I don't want to > upgrade without serious reason. And, any way, the "behavior" of > portaudit seems to me not correct. > > >With best regards, >Alexandre Krasnov. > > >_______________________________________________ >freebsd-security at freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"-- Ryan Steinmetz PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2
Hi, Did you try "portaudit -Fda", which downloads the newest portaudit database. portaudit downloads it once a couple of days by default, if my memory is still working. So, it could be your first node happens to download database today, but not the other node. Thank you! -- moto kawasaki <moto at kawasaki3.org> From: freebsd at tern.ru To: freebsd-security at freebsd.org Subject: old perl vulnerabilitiy Date:Fri, 15 Mar 2013 17:30:20 +0400 Message-ID: <1472823038.20130315173020 at tern.ru> freebsd> Hello Freebsd-security, freebsd> freebsd> I've got portaudit alarm on perl-5.8.9_7 with regard to freebsd> freebsd> perl -- denial of service via algorithmic complexity attack on hashing routines. freebsd> Reference: http://portaudit.FreeBSD.org/68c1f75b-8824-11e2-9996-c48508086173.html freebsd> freebsd> But on the other server I have perl-threaded-5.8.9_7 freebsd> and portaudit thinks that it is OK (no problem) freebsd> freebsd> Is it correct? freebsd> It seems to me that threaded perl also should have the same problem. freebsd> freebsd> Please advise. freebsd> freebsd> PS. I know that it is old and "unsupported" but I don't want to freebsd> upgrade without serious reason. And, any way, the "behavior" of freebsd> portaudit seems to me not correct. freebsd> freebsd> freebsd> With best regards, freebsd> Alexandre Krasnov. freebsd> freebsd> freebsd> _______________________________________________ freebsd> freebsd-security at freebsd.org mailing list freebsd> http://lists.freebsd.org/mailman/listinfo/freebsd-security freebsd> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"