,

Security vulnerability in Perl

,

This is a notification of a security vulnerability, not in RT, but inperl itself. That vulnerability, CVE-2013-1667, affects all production versions of perl from 5.8.2 to 5.16.x.

From perl5-porters:

In order to prevent an algorithmic complexity attack against its
hashing mechanism, perl will sometimes recalculate keys and
redistribute the contents of a hash.  This mechanism has made perl
robust against attacks that have been demonstrated against other
systems.
Research by Yves Orton has recently uncovered a flaw in the
rehashing code which can result in pathological behavior.  This flaw
could be exploited to carry out a denial of service attack against
code that uses arbitrary user input as hash keys.

Vendors, including RedHat, Debian, and Ubuntu, were informed of this problem two weeks ago. Debian has pushed updated packages, and others are expected to do so soon. We encourage you to take these updates as soon as they are available.

We are aware that taking updated versions of some vendor perl packages (particularly with older releases of RedHat) may downgrade some modules that RT requires to run, causing breakages when RT is restarted. This is particularly known to be an issue with Scalar::Util, Sys::Syslog, and File::Temp.

For this reason, we suggest re-running rt-test-dependencies after you upgrade perl, to ensure that this has not occured. You can do this via running /opt/rt4/bin/rt-test-dependencies, and passing it one of --with-mysql, --with-pg, or --with-oracle, as well as --with-fastcgi or --with-modperl2 as suits your current deployment. If unmet dependencies are found, you should immediately upgrade them; this can be done by re-running rt-test-dependencies with the additional --install option.

The vendor upgrades of perl may not be sufficient if you are running a locally-compiled version of perl. You can determine if this is the case by examining the first line of /opt/rt4/bin/rt (or /opt/rt3/bin/rt). If that line contains:

#!/usr/bin/perl

...then you are running the vendor-supplied version of perl, and need take no further steps. Otherwise, you will need to upgrade your locally installed perl, or re-install it after applying security patches. Perl 5.16.3 and 5.14.4 have now been released, and we strongly we recommend upgrading to those.

If you need help resolving this issue, please contact us at sales@bestpractical.com for more information.

Alex Vandiver

Share this post: