Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 494024 (CVE-2013-7040) - <dev-lang/python-3.4.0: hash secret can be recovered remotely
Summary: <dev-lang/python-3.4.0: hash secret can be recovered remotely
Alias: CVE-2013-7040
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A4 [noglsa/cve]
Depends on:
Reported: 2013-12-12 10:50 UTC by Agostino Sarubbo
Modified: 2017-04-29 02:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-12 10:50:33 UTC
From ${URL} :

This is a followup to CVE-2012-1150 (hash table collision CPU usage DOS in CPython). points out that the hash secret in CPython can be recovered remotely, so 
while the original fix addressed the "blind DOS" problem (of being able to DOS any Python based service 
with a single prepared payload), it didn't completely eliminate the potential for remote DOS attacks based 
on hash collisions. ( has the details)

Python 3.4+ will use SipHash by default (, which should resolve 
the vulnerability completely.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-12-12 10:54:51 UTC
It's good to have this captured in a bug, but just FTR we will not clean up 2.7 (and probably not 3.3, either) just because of this bug. Doing speedy stabilization of 3.4 would be neat, but experience leads me to believe that that would also be a pretty unrealistic goal.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-21 13:51:33 UTC
Upstream tagged this as wontfix for versions older than 3.4 (the latter implemented PEP 456 to address this issue).
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-04-17 00:54:59 UTC
FOllowing upstream