It's an important release.
On Wed, Apr 11, 2012 at 03:37:49PM -0400, Benjamin Peterson wrote: > We're bursting with enthusiasm to announce the immediate availability of > Python > 2.6.8, 2.7.3, 3.1.5, and 3.2.3. These releases included several security > fixes. > > Note: Virtualenvs created with older releases in the 2.6, 2.7, 3.1, or 3.2 > series may not work with these bugfix releases. Specifically, the os module > may > not appear to have a urandom function. This is a virtualenv bug, which can be > solved by recreating the broken virtualenvs with the newer Python versions. > > The main impetus for these releases is fixing a security issue in Python's > hash > based types, dict and set, as described below. Python 2.7.3 and 3.2.3 include > the security patch and the normal set of bug fixes. Since Python 2.6 and 3.1 > are > maintained only for security issues, 2.6.8 and 3.1.5 contain only various > security patches. > > The security issue exploits Python's dict and set implementations. Carefully > crafted input can lead to extremely long computation times and denials of > service. [1] Python dict and set types use hash tables to provide amortized > constant time operations. Hash tables require a well-distributed hash function > to spread data evenly across the hash table. The security issue is that an > attacker could compute thousands of keys with colliding hashes; this causes > quadratic algorithmic complexity when the hash table is constructed. To > alleviate the problem, the new releases add randomization to the hashing of > Python's string types (bytes/str in Python 3 and str/unicode in Python 2), > datetime.date, and datetime.datetime. This prevents an attacker from computing > colliding keys of these types without access to the Python process. > > Hash randomization causes the iteration order of dicts and sets to be > unpredictable and differ across Python runs. Python has never guaranteed > iteration order of keys in a dict or set, and applications are advised to > never > rely on it. Historically, dict iteration order has not changed very often > across > releases and has always remained consistent between successive executions of > Python. Thus, some existing applications may be relying on dict or set > ordering. > Because of this and the fact that many Python applications which don't accept > untrusted input are not vulnerable to this attack, in all stable Python > releases > mentioned here, HASH RANDOMIZATION IS DISABLED BY DEFAULT. There are two ways > to > enable it. The -R commandline option can be passed to the python executable. > It > can also be enabled by setting an environmental variable PYTHONHASHSEED to > "random". (Other values are accepted, too; pass -h to python for complete > description.) > > More details about the issue and the patch can be found in the oCERT advisory > [1] and the Python bug tracker [2]. > > Another related security issue fixed in these releases is in the expat XML > parsing library. expat had the same hash security issue detailed above as > Python's core types. The hashing algorithm used in the expat library is now > randomized. > > A few other security issues were fixed. They are described on the release > pages > below. > > These releases are production releases. > > Downloads are at > > http://python.org/download/releases/2.6.8/ > http://python.org/download/releases/2.7.3/ > http://python.org/download/releases/3.1.5/ > http://python.org/download/releases/3.2.3/ > > As always, please report bugs to > > http://bugs.python.org/ > > Happy-to-put-hash-attack-issues-behind-them-ly yours, > The Python release team > Barry Warsaw (2.6), Georg Brandl (3.2), and Benjamin Peterson (2.7 and 3.1) > > [1] http://www.ocert.org/advisories/ocert-2011-003.html > [2] http://bugs.python.org/issue13703 > _______________________________________________ > Python-Dev mailing list > python-...@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/senthil%40uthcode.com _______________________________________________ BangPypers mailing list BangPypers@python.org http://mail.python.org/mailman/listinfo/bangpypers
