Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re^7: 5.18.0 is available NOW!

by Anonymous Monk
on May 22, 2013 at 06:41 UTC ( #1034680=note: print w/ replies, xml ) Need Help??


in reply to Re^6: 5.18.0 is available NOW!
in thread 5.18.0 is available NOW!

where is your patch to provide an alternate?


Comment on Re^7: 5.18.0 is available NOW!
Re^8: 5.18.0 is available NOW!
by BrowserUk (Pope) on May 22, 2013 at 07:15 UTC

    Two problems with that retort:

    1. It would be hard to code a patch to handle an attack vector that -- to the best of my ability to discover; and despite requests for further information and a promise of "I would release a full-disclosure document in the middle to last week of march." -- it seems has never been publicly described, let alone demonstrated.

      Indeed -- whilst I'm still waiting to hear back from mitre (CVE DB maintainers) and a couple of other likely organisations -- I can find no trace that anyone other than demerphq has ever been made party to the details of the vulnerability.

    2. Also, based upon the scant information I have been able to glean -- and a lot of unfortunately necessary supposition -- it seems likely that any one of several one-line patches might serve to totally mitigate the possibility of CVE-2013-1667.

      With the added upside that almost none of the pain caused by the implemented solution would have been necessary.

    I'm preparing a paper -- which will probably come in 4 or 5 parts -- now. But it would surely be easier, and maybe even unnecessary, if disclosure were made.


    With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.

      It turns out that vendors are slow in providing updates. We did a survey and there were too many vulnerable systems to release the details of the attack. Once we feel most of the affected systems are patched we will release more details. This process is called "responsible disclosure".

      Also, based upon the scant information I have been able to glean -- and a lot of unfortunately necessary supposition -- it seems likely that any one of several one-line patches might serve to totally mitigate the possibility of CVE-2013-1667.

      The patches mitigating CVE-2013-1667 are all public. The patches which changed Perls hash implementation are all public. The only code which is not public is the code which demonstrates a key-discovery attack on perls old hash function, and the key generator code to produce an attack key set for CVE-2013-1667.

      Please stop posting FUD about this issue. You do not know what you are talking about, and everybody reading this thread should know it.

      ---
      $world=~s/war/peace/g

        This process is called "responsible disclosure".

        That can lead to "a feeling of false security."

        The patches mitigating CVE-2013-1667 are all public.

        The patches are public; but whether they actually address the perceived problem -- nor even if the perceived problem is actually a problem -- cannot be determined without knowing what the problem is.

        The only code which is not public is the code which demonstrates a key-discovery attack on perls old hash function,

        Easily reproduced with a 20 line script. It is running now:

        You do not know what you are talking about

        Actually, I do. As you will find out.


        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1034680]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (10)
As of 2014-12-26 09:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (171 votes), past polls