This is a notification of a security vulnerability, not in RT, but inperl itself. That vulnerability, CVE-2013-1667, affects all production versions of perl from 5.8.2 to 5.16.x.
In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash. This mechanism has made perl robust against attacks that have been demonstrated against other systems. Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys.
Vendors, including RedHat, Debian, and Ubuntu, were informed of this problem two weeks ago. Debian has pushed updated packages, and others are expected to do so soon. We encourage you to take these updates as soon as they are available.
We are aware that taking updated versions of some vendor perl packages
(particularly with older releases of RedHat) may downgrade some modules
that RT requires to run, causing breakages when RT is restarted. This
is particularly known to be an issue with
For this reason, we suggest re-running
rt-test-dependencies after you
upgrade perl, to ensure that this has not occured. You can do this via
/opt/rt4/bin/rt-test-dependencies, and passing it one
--with-oracle, as well as
--with-modperl2 as suits your current deployment. If unmet
dependencies are found, you should immediately upgrade them; this can be
done by re-running
rt-test-dependencies with the additional
The vendor upgrades of perl may not be sufficient if you are running a
locally-compiled version of perl. You can determine if this is the case
by examining the first line of
that line contains:
...then you are running the vendor-supplied version of perl, and need take no further steps. Otherwise, you will need to upgrade your locally installed perl, or re-install it after applying security patches. Perl 5.16.3 and 5.14.4 have now been released, and we strongly we recommend upgrading to those.
If you need help resolving this issue, please contact us at firstname.lastname@example.org for more information.