Hi Brian, did you already reported this to php security or should I do that?
Cheers, Ondrej On Fri, Oct 2, 2015, at 14:37, brian m. carlson wrote: > On Wed, Sep 30, 2015 at 11:27:39PM +0000, brian m. carlson wrote: > > Package: php5-cli > > Version: 5.6.13+dfsg-2 > > Severity: important > > Tags: security > > > > PHP uses the DJB "times 33" hash to hash strings in its hash tables, > > without the use of any secret key. Hash values are therefore the same > > between multiple invocations. As a result, it's trivial to precompute a > > set of values that all hash to the same bucket and cause positively > > abysmal performance. > > > > If a script accepts untrusted hash keys, such as from JSON input, it is > > subject to a DoS attack. PHP implemented the max_input_vars option, but > > this is not effective in the general case, especially in the era of > > JSON-laden POST requests. Perl, Python, and Ruby have all addressed > > their CVEs properly, but PHP has not and as a result is still > > vulnerable. > > It was pointed out to me that I should mention which CVEs apply here for > reference. > > Python had CVE-2012-1150 and CVE-2013-7040. Ruby had CVE-2011-4815. I > can't find a CVE for Perl's 2003 fix, if one exists. The fix, which > went into 5.8, was incomplete and was addressed by CVE-2013-1667. > -- > brian m. carlson / brian with sandals: Houston, Texas, US > +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only > OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 > _______________________________________________ > pkg-php-maint mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature) -- Ondřej Surý <[email protected]> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
