Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 Feb 2014 00:29:50 +1100
From: Murray McAllister <>
Subject: Re: CVE-2013-6401 Jansson hash collision issue

On 02/12/2014 12:20 AM, Murray McAllister wrote:
> As reported to the distros mailing list:
> Hi all,
> Florian Weimer of the Red Hat Product Security Team found that the
> hashing implementation in Jansson, a library for encoding, decoding and
> manipulating JSON data, was susceptible to predictable hash collisions.
> A remote attacker could use this flaw to cause an application using
> Jansson to use an excessive amount of CPU time by sending a crafted JSON
> document containing a large number of parameters whose names map to the
> same hash value. (CVE-2013-6401)
> With regards to affected versions, I am guessing only 2.4-2 and 2.4-3
> were checked (by Red Hat).
> Many thanks to Florian Weimer and Petri Lehtinen (upstream) for their
> extensive work on the patch:
> (Feel free to copy the above CVE-2013-6401 description paragraph in any
> of your bugs or advisories.)
> Red Hat bug: (to be
> opened shortly)
> Cheers,
> --
> Murray McAllister / Red Hat Security Response Team

This commit is also needed:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ