Summary: | <dev-libs/jansson-2.7: Hash Collisions Denial of Service Vulnerabilities (CVE-2013-6401) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bugs, hwoarang, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/56777/ | ||
See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=1035538 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 396397, 558734 |
Description
Agostino Sarubbo
2014-02-12 15:31:14 UTC
Jansson 2.6 was out the other day; much because of this bug (well, upstream). Changelog here: https://github.com/akheron/jansson/commit/e83ded066a610f8de7caaa3942769321ededa84f As proxy, I'd recommend a verbump. Rename from 2.5 works fine for me. I'd also back a quick stabilisation round if my co-maintainer is up for it. fwiw, verbump bug here: https://bugs.gentoo.org/show_bug.cgi?id=502488 CVE-2013-6401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6401): Jansson, possibly 2.4 and earlier, does not restrict the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted JSON document. we should just stabilize 2.7 now for everyone amd64 stable x86 stable Stable for HPPA. Stable for PPC64. Stable on alpha. arm stable sparc stable ppc stable. Maintainer(s), please cleanup. Security, please vote. GLSA Vote: No Vote: NO. It has been 30 days since cleanup was requested. Maintainer(s), please drop the vulnerable version(s). |