Bug#653964: glassfish predictable hash collisions
On Mon, Jan 02, 2012 at 09:56:20AM +0100, Torsten Werner wrote: > Hi, > > On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst wrote: > > It was reported that Glassfish is affected by the predictable hash > > collisions > > attack that made its rounds around the net this week. This is tracked at > > http://security-tracker.debian.org/tracker/CVE-2011-5035 > > I do not think that we are vulnerable because Debian does not ship a > full glassfish stack. We build some core libs only. > > > Can you ensure that fixed packages are uploaded to sid as soon as possible, > > and assert whether a fix for lenny and squeeze would be necessary? > > I do not even understand how to reproduce the issue. May you elaborate > on that, please? The advisory can be found here: http://www.nruns.com/_downloads/advisory28122011.pdf I'm not sure where to find "Oracle security ticket S0104869", though. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#653964: glassfish predictable hash collisions
On Mon, January 2, 2012 09:56, Torsten Werner wrote: > Hi, > > On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst wrote: >> It was reported that Glassfish is affected by the predictable hash >> collisions >> attack that made its rounds around the net this week. This is tracked at >> http://security-tracker.debian.org/tracker/CVE-2011-5035 > > I do not think that we are vulnerable because Debian does not ship a > full glassfish stack. We build some core libs only. Perhaps that depends on whether the affected function is in those libs and hence exposed in some way to outside-facing services. >> Can you ensure that fixed packages are uploaded to sid as soon as >> possible, >> and assert whether a fix for lenny and squeeze would be necessary? > > I do not even understand how to reproduce the issue. May you elaborate > on that, please? It's a generic vulnerability. More details on that are in here: http://www.kb.cert.org/vuls/id/903934 I do not immediately know how this relates to Glassfish specifically, but in the general case it boils down to doing a crafted request which exploits complexity in the implementation such that all processing power is consumed by dealing with the request. For the specific case, there's apparently "Oracle security ticket S0104869", but I don't know how to access that. Ocert says: "Oracle reports that the issue is fixed in the main codeline and scheduled for a future CPU". Does this help you a bit? Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#653964: glassfish predictable hash collisions
Hi, On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst wrote: > It was reported that Glassfish is affected by the predictable hash collisions > attack that made its rounds around the net this week. This is tracked at > http://security-tracker.debian.org/tracker/CVE-2011-5035 I do not think that we are vulnerable because Debian does not ship a full glassfish stack. We build some core libs only. > Can you ensure that fixed packages are uploaded to sid as soon as possible, > and assert whether a fix for lenny and squeeze would be necessary? I do not even understand how to reproduce the issue. May you elaborate on that, please? Thanks, Torsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#653964: glassfish predictable hash collisions
Package: glassfish Severity: serious Tags: security Hi, It was reported that Glassfish is affected by the predictable hash collisions attack that made its rounds around the net this week. This is tracked at http://security-tracker.debian.org/tracker/CVE-2011-5035 Can you ensure that fixed packages are uploaded to sid as soon as possible, and assert whether a fix for lenny and squeeze would be necessary? Cheers, Thijs signature.asc Description: This is a digitally signed message part.