Summary: | <dev-lang/python-{2.6.8,2.7.3-r1,3.1.5,3.2.3} Hash collision DoS (CVE-2012-1150) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/ | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 396397 |
Description
Alex Legler (RETIRED)
2011-12-28 16:06:15 UTC
I've sent email to security@python.org. Upstream tracking bug: http://bugs.python.org/issue13703 Upstream have released new versions of Python that include a hash randomization feature. This feature is NOT enabled by default, a comment on LWN's news item [1] suggests that starting 3.3, it will be default. Python team: Bump time. [1] http://lwn.net/Articles/491939/ 2.7.3 is ready and waiting for the mirrors to circulate the patchset. I'll likely get to 3.2.3 tomorrow. (In reply to comment #4) > 2.7.3 is ready and waiting for the mirrors to circulate the patchset. I'll > likely get to 3.2.3 tomorrow. Thanks. Would 3.2.3 be a target for stabilization? Or, asked another way, shall we stabilize just 2.7.3 here, or wait and stabilize 2.7.3 and 3.2.3 together? +*python-3.1.5 (26 Apr 2012) +*python-2.7.3-r1 (26 Apr 2012) +*python-3.2.3 (26 Apr 2012) +*python-2.6.8 (26 Apr 2012) + + 26 Apr 2012; Mike Gilbert <floppym@gentoo.org> +python-2.6.8.ebuild, + +python-2.7.3-r1.ebuild, +python-3.1.5.ebuild, +python-3.2.3.ebuild: + Version bumps for security bug 396329. Ebuilds and patchsets based on work by + Arfrever in Progress overlay. + I think it would be appropriate to stabilize all 4 versions above. I'd prefer to hold off on stabilization for a little bit, while we discuss the patch set. Hi, folks. Shall we move forward with stabilization now? Tnx. Yes, please. Great, thanks. Arches, please test and mark stable: =dev-lang/python-2.6.8 =dev-lang/python-2.7.3-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" =dev-lang/python-3.1.5 =dev-lang/python-3.2.3 Target keywords : "amd64 hppa ppc ppc64 x86" @python is that correct, or should we be targeting 3.2.3-r1 and 2.7.3-r2 instead? The fix for security vulnerability is incomplete: http://bugs.python.org/issue14621 We shouldn't delay stabilization over comment 11. Stable on alpha: =dev-lang/python-2.6.8 =dev-lang/python-2.7.3-r1 amd64 ok amd64 stable, thanks k01 for testing ppc/ppc64 done Stable for HPPA. x86 stable arm stable ia64/m68k/s390/sh/sparc stable Thanks, everyone. Added to existing GLSA request. CVE-2012-1150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1150): Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. This issue was resolved and addressed in GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml by GLSA coordinator Sergey Popov (pinkbyte). |