From red hat bugzilla at $URL: Description: Julian Wälde and Alexander Klink reported a way to degrade performance of the Java Hashtable implementation by filling the hash table with keys with identical hash codes - see bug #770929 for details. The apr developers are looking at adding randomization [1] to apr to mitigate such attacks. It is unknown how such attacks may be mounted against applications using libapr, or what the result might be, but the developers are discussing how best to address this. There is currently no formal patch or commit to apr. [1] http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html Solution: http://svn.apache.org/viewvc?view=revision&revision=1231605 http://svn.apache.org/viewvc?view=revision&revision=1231858
Discussion on APR development mailing list seems to imply that the fix is incompatible and will never be backported to APR 1.*.
(In reply to comment #0) > http://svn.apache.org/viewvc?view=revision&revision=1231605 > http://svn.apache.org/viewvc?view=revision&revision=1231858 http://svn.apache.org/viewvc?view=revision&revision=1232320
New commits: http://svn.apache.org/viewvc?view=revision&revision=1236642 http://svn.apache.org/viewvc?view=revision&revision=1236967
APR project says that there is no security vulnerability: http://www.mail-archive.com/dev%40apr.apache.org/msg24609.html
*** Bug 403731 has been marked as a duplicate of this bug. ***
Oh, what would security be without drama? ;) From that last link: > Contrary to Mr Seifreid's confusion, the recent code > changes reflect a possibility of mitigating potential hash collisions, > but certainly do not and can not eliminate such risks, and it is up to > the developer to select appropriate storage and lookup mechansims for > their specific problem domain. @apache, am I correct believe these changes are in 1.4.6? And shall we stabilize this for good measure? Thanks much.
@apache, Arfrever pointed out to me that these changes in APR may cause downstream tests to fail. The example shared was: https://svn.apache.org/viewvc?view=revision&revision=1293602 Thanks, Arfrever.
@maintainers: okay to stable apr-1.4.8-r1 on sh in order to drop 1.4.5?
sh -> ~arch, no longer a concern. @maintainers: please drop affected, will remove in 30 days if no response. GLSA vote: no.
Stabilization completed in 477296. GLSA vote: yes. I had an existing draft.
This issue was resolved and addressed in GLSA 201405-24 at http://security.gentoo.org/glsa/glsa-201405-24.xml by GLSA coordinator Sean Amoss (ackle).