Summary: | <dev-ml/ocamlnet-3.5: Hash collision DoS vulnerability (CVE-2012-0839) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ml |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2012-02-26 20:19:11 UTC
I dont understand what you expect here, ocaml is a language and dev-lang/ocaml its compiler and interpreter; you wouldnt blame gcc because 'while(1)' is allowed in C... things like this can be relevant though, but its rather at application level than compiler level: 011-12-30 Gerd Stolpmann <gerd@gerd-stolpmann.de> * Security: adding limit max_arguments to Netcgi. This is more a general measure of precaution against DoS attacks where a specially crafted POST request contains many keys that collide massively in the hash table. Actually, Ocamlnet is not directly vulnerable; however, application programs can nevertheless be when they access a degenerated hash table. (changelog of dev-ml/ocamlnet-3.5) (In reply to comment #2) > things like this can be relevant though, but its rather at application level > than compiler level: > > 011-12-30 Gerd Stolpmann <gerd@gerd-stolpmann.de> > > * Security: adding limit max_arguments to Netcgi. This is more > a general measure of precaution against DoS attacks where > a specially crafted POST request contains many keys that > collide massively in the hash table. Actually, Ocamlnet is > not directly vulnerable; however, application programs can > nevertheless be when they access a degenerated hash table. > > (changelog of dev-ml/ocamlnet-3.5) Thanks for this. Can we move forward and stabilize =dev-ml/ocamlnet-3.5? (In reply to comment #3) > Thanks for this. Can we move forward and stabilize =dev-ml/ocamlnet-3.5? yes Arches, please test and mark stable: =dev-ml/ocamlnet-3.5 Target keywords : "amd64 ppc x86" amd64 stable x86 stable ppc stable Thanks, everyone. GLSA vote: yes. GLSA Vote: no. NO too, closing. |