+++ This bug was initially created as a clone of Bug #396311 +++
See $URL for a more elaborate explanation, I'll update this with more detail later.
Specially crafted POST parameters can be used to cause hash table operations with a time complexity of O(n^2), causing a Denial of Service.
Python upstream has yet to comment on the issue.
I've sent email to email@example.com.
Upstream tracking bug: http://bugs.python.org/issue13703
Upstream have released new versions of Python that include a hash randomization feature.
This feature is NOT enabled by default, a comment on LWN's news item  suggests that starting 3.3, it will be default.
Python team: Bump time.
2.7.3 is ready and waiting for the mirrors to circulate the patchset. I'll likely get to 3.2.3 tomorrow.
(In reply to comment #4)
> 2.7.3 is ready and waiting for the mirrors to circulate the patchset. I'll
> likely get to 3.2.3 tomorrow.
Thanks. Would 3.2.3 be a target for stabilization? Or, asked another way, shall we stabilize just 2.7.3 here, or wait and stabilize 2.7.3 and 3.2.3 together?
+*python-3.1.5 (26 Apr 2012)
+*python-2.7.3-r1 (26 Apr 2012)
+*python-3.2.3 (26 Apr 2012)
+*python-2.6.8 (26 Apr 2012)
+ 26 Apr 2012; Mike Gilbert <firstname.lastname@example.org> +python-2.6.8.ebuild,
+ +python-2.7.3-r1.ebuild, +python-3.1.5.ebuild, +python-3.2.3.ebuild:
+ Version bumps for security bug 396329. Ebuilds and patchsets based on work by
+ Arfrever in Progress overlay.
I think it would be appropriate to stabilize all 4 versions above.
I'd prefer to hold off on stabilization for a little bit, while we discuss the patch set.
Hi, folks. Shall we move forward with stabilization now? Tnx.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Target keywords : "amd64 hppa ppc ppc64 x86"
@python is that correct, or should we be targeting 3.2.3-r1 and 2.7.3-r2 instead?
The fix for security vulnerability is incomplete:
We shouldn't delay stabilization over comment 11.
Stable on alpha:
amd64 stable, thanks k01 for testing
Stable for HPPA.
Added to existing GLSA request.
Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before
3.2.3 computes hash values without restricting the ability to trigger hash
collisions predictably, which allows context-dependent attackers to cause a
denial of service (CPU consumption) via crafted input to an application that
maintains a hash table.
This issue was resolved and addressed in
GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).