On Mon, Feb 06, 2012 at 06:10:15PM -0700, Kurt Seifried wrote: > On 02/06/2012 06:05 PM, Kurt Seifried wrote: > > So going through various things looks like Ocaml is vulnerable and has > > not had a CVE # assigned for this issue yet. > > > > Discussion of the issue takes place on the mailing list, here is a link > > for the originating thread: > > > >cc > > > > There doesn't appear to be a fix yet. > > > > > > Please use CVE-2012-0839 for this issue.
Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=787888 Rather than changing every app that uses Hashtbl, I'd prefer to fix this upstream by choosing a random seed for hash tables unless the caller explicitly sets one or sets an environment variable to disable this. In Perl, the seed is a random number chosen when the Perl interpreter starts up. This is low overhead, but still leaves a (much more theoretical) attack where someone can determine the seed from a long-running process using some other method and still attack the hash table. In Python there is an environment variable you can set to disable randomized hash tables. Further Python discussion here: http://bugs.python.org/issue13703 http://mail.python.org/pipermail/python-dev/2012-January/thread.html#115465 Rich. -- Richard Jones Red Hat -- Caml-list mailing list. Subscription management and archives: https://sympa-roc.inria.fr/wws/info/caml-list Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs