CERT mailing list archives
Current Activity - Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks
From: Current Activity <us-cert () us-cert gov>
Date: Wed, 28 Dec 2011 13:25:18 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 US-CERT Current Activity Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks Original release date: December 28, 2011 at 1:04 pm Last revised: December 28, 2011 at 1:04 pm US-CERT is aware of reports stating that multiple programming language implementations, including web platforms, are vulnerable to hash table collision attacks. This vulnerability could be used by an attacker to launch a denial-of-service attack against websites using affected products. The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes. Microsoft has released a security advisory for ASP.NET containing a workaround. Additional information can be found in Microsoft Security Advisory 2659883. More information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#903934 and n.runs Security Advisory n.runs-SA-2011.004. US-CERT will provide additional information as it becomes available. Relevant Url(s): <http://www.ruby-forum.com/topic/3312298> <http://www.nruns.com/_downloads/advisory28122011.pdf> <http://technet.microsoft.com/en-us/security/advisory/2659883> <http://www.kb.cert.org/vuls/id/903934> ==== This entry is available at http://www.us-cert.gov/current/index.html#multiple_vendors_vulnerable_to_hash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTvtfBD/GkGVXE7GMAQKIxAf/TOV1VXY+cP6MLA3xhKW2GvzQSBIC+JuB gORmt/LWTiehSV5v+xBeGtzG4MmDGzQn/ya+LXCMhAf1i1F+PAYatFMq+a9azhR5 JAanVwx3ZS4yvK86XonCjQ57VzNNOsYKcByrnBAs/+8rbtPVWBZ3hM1BA+DV0u8J PLq28QWW96Zm9RT5e3N7tadqRliAMIEg9Ewz5Xb4M7JrO+O10e05D4BDuSpQq1x3 zDdnYN/JmTAs+r62PRdC9ZZhSLHyYQf6u8E8Qy28+rWMqvet/AnYggKEu4Xan1pJ frHpC/2BpKgdenwiP58YnqvYcV7IEpOdODMIFyuAumqb4Q5qsSQWhg== =Q8SA -----END PGP SIGNATURE-----
Current thread:
- Current Activity - Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks Current Activity (Dec 28)