You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apr.apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2012/02/22 17:49:32 UTC

Re: Hash collision vectors in APR?

On 1/5/2012 11:45 AM, William A. Rowe Jr. wrote:
> http://www.nruns.com/_downloads/advisory28122011.pdf
> 
> Should we add some randomization to prevent abuse?
> 
> It's hard to anticipate how folks might leverage apr, and how malicious
> folks might then seek to exploit computational workload vectors.

After extensive consultation with the security projects of various APR
consumers, it's apparent that there are no actual vulnerabilities to be
exploited here.  Contrary to Mr Seifreid's confusion, the recent code
changes reflect a possibility of mitigating potential hash collisions,
but certainly do not and can not eliminate such risks, and it is up to
the developer to select appropriate storage and lookup mechansims for
their specific problem domain.

These changes do not represent either a security DEFECT nor any actual
security FIX.  The APR Project dis-acknowledges the assignment of
CVE-2012-0840 as erroneous, and invalid.  Kurt, since you created the
defect, please edit it appropriately.  security@apache.org is always
happy to consult in order to avoid future errors and misinformation.

Stefan, please revert your miscommit.  In the future, please run such
things past security@apache.org before applying inaccurate external
assignments.