Re: [ANN] Lua 5.2.1 (work1) now available

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: [ANN] Lua 5.2.1 (work1) now available
From: David Kolf <kolf@...>
Date: Thu, 22 Mar 2012 18:01:32 +0100

Roberto Ierusalimschy wrote:
> Moreover, a small overhead may be acceptable as a price for solving
> the "hash complexity attack" (that people will worry about despite all
> contrary evidence).

I thought I had read all the posts in the original thread about this
issue, but I don't remember any contrary evidence. Did I miss something?

As far as I remember the only tested real-world attack was against a
CGI-installation where the impact wasn't too bad as only a few threads
were blocked and the webserver could afford to open more threads. But a
server application that has to serve multiple clients using a single
thread can be quite vulnerable.

I do believe however, that most Lua applications are clientside or
offline and not threatened by the DoS attack. So I guess the solution
could be optional at compile-time and only those who want to run a
public server need to switch it on.

Best regards,

David Kolf

Follow-Ups:
- Re: [ANN] Lua 5.2.1 (work1) now available, Roberto Ierusalimschy

References:
- [ANN] Lua 5.2.1 (work1) now available, Luiz Henrique de Figueiredo
- Re: [ANN] Lua 5.2.1 (work1) now available, liam mail
- Re: [ANN] Lua 5.2.1 (work1) now available, liam mail
- Re: [ANN] Lua 5.2.1 (work1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.2.1 (work1) now available, Miles Bader
- Re: [ANN] Lua 5.2.1 (work1) now available, Roberto Ierusalimschy

Prev by Date: Re: [ANN] Lua 5.2.1 (work1) now available
Next by Date: Re: [ANN] Lua 5.2.1 (work1) now available
Previous by thread: Re: [ANN] Lua 5.2.1 (work1) now available
Next by thread: Re: [ANN] Lua 5.2.1 (work1) now available
Index(es):
- Date
- Thread