+++ This bug was initially created as a clone of Bug #396311 +++ See $URL for a more elaborate explanation, I'll update this with more detail later. Specially crafted POST parameters can be used to cause hash table operations with a time complexity of O(n^2), causing a Denial of Service. Python upstream has yet to comment on the issue.
I've sent email to security@python.org.
Upstream tracking bug: http://bugs.python.org/issue13703
Upstream have released new versions of Python that include a hash randomization feature. This feature is NOT enabled by default, a comment on LWN's news item [1] suggests that starting 3.3, it will be default. Python team: Bump time. [1] http://lwn.net/Articles/491939/
2.7.3 is ready and waiting for the mirrors to circulate the patchset. I'll likely get to 3.2.3 tomorrow.
(In reply to comment #4) > 2.7.3 is ready and waiting for the mirrors to circulate the patchset. I'll > likely get to 3.2.3 tomorrow. Thanks. Would 3.2.3 be a target for stabilization? Or, asked another way, shall we stabilize just 2.7.3 here, or wait and stabilize 2.7.3 and 3.2.3 together?
+*python-3.1.5 (26 Apr 2012) +*python-2.7.3-r1 (26 Apr 2012) +*python-3.2.3 (26 Apr 2012) +*python-2.6.8 (26 Apr 2012) + + 26 Apr 2012; Mike Gilbert <floppym@gentoo.org> +python-2.6.8.ebuild, + +python-2.7.3-r1.ebuild, +python-3.1.5.ebuild, +python-3.2.3.ebuild: + Version bumps for security bug 396329. Ebuilds and patchsets based on work by + Arfrever in Progress overlay. + I think it would be appropriate to stabilize all 4 versions above.
I'd prefer to hold off on stabilization for a little bit, while we discuss the patch set.
Hi, folks. Shall we move forward with stabilization now? Tnx.
Yes, please.
Great, thanks. Arches, please test and mark stable: =dev-lang/python-2.6.8 =dev-lang/python-2.7.3-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" =dev-lang/python-3.1.5 =dev-lang/python-3.2.3 Target keywords : "amd64 hppa ppc ppc64 x86" @python is that correct, or should we be targeting 3.2.3-r1 and 2.7.3-r2 instead?
The fix for security vulnerability is incomplete: http://bugs.python.org/issue14621
We shouldn't delay stabilization over comment 11.
Stable on alpha: =dev-lang/python-2.6.8 =dev-lang/python-2.7.3-r1
amd64 ok
amd64 stable, thanks k01 for testing
ppc/ppc64 done
Stable for HPPA.
x86 stable
arm stable
ia64/m68k/s390/sh/sparc stable
Thanks, everyone. Added to existing GLSA request.
CVE-2012-1150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1150): Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
This issue was resolved and addressed in GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml by GLSA coordinator Sergey Popov (pinkbyte).