[Python-Dev] [RELEASED] Python 2.6.8, 2.7.3, 3.1.5, and 3.2.3

Wed Apr 11 21:37:49 CEST 2012

We're bursting with enthusiasm to announce the immediate availability of Python
2.6.8, 2.7.3, 3.1.5, and 3.2.3. These releases included several security fixes.

Note: Virtualenvs created with older releases in the 2.6, 2.7, 3.1, or 3.2
series may not work with these bugfix releases. Specifically, the os module may
not appear to have a urandom function. This is a virtualenv bug, which can be
solved by recreating the broken virtualenvs with the newer Python versions.

The main impetus for these releases is fixing a security issue in Python's hash
based types, dict and set, as described below. Python 2.7.3 and 3.2.3 include
the security patch and the normal set of bug fixes. Since Python 2.6 and 3.1 are
maintained only for security issues, 2.6.8 and 3.1.5 contain only various
security patches.

The security issue exploits Python's dict and set implementations. Carefully
crafted input can lead to extremely long computation times and denials of
service. [1] Python dict and set types use hash tables to provide amortized
constant time operations. Hash tables require a well-distributed hash function
to spread data evenly across the hash table. The security issue is that an
attacker could compute thousands of keys with colliding hashes; this causes
quadratic algorithmic complexity when the hash table is constructed. To
alleviate the problem, the new releases add randomization to the hashing of
Python's string types (bytes/str in Python 3 and str/unicode in Python 2),
datetime.date, and datetime.datetime. This prevents an attacker from computing
colliding keys of these types without access to the Python process.

Hash randomization causes the iteration order of dicts and sets to be
unpredictable and differ across Python runs. Python has never guaranteed
iteration order of keys in a dict or set, and applications are advised to never
rely on it. Historically, dict iteration order has not changed very often across
releases and has always remained consistent between successive executions of
Python. Thus, some existing applications may be relying on dict or set ordering.
Because of this and the fact that many Python applications which don't accept
untrusted input are not vulnerable to this attack, in all stable Python releases
mentioned here, HASH RANDOMIZATION IS DISABLED BY DEFAULT. There are two ways to
enable it. The -R commandline option can be passed to the python executable. It
can also be enabled by setting an environmental variable PYTHONHASHSEED to
"random". (Other values are accepted, too; pass -h to python for complete
description.)

More details about the issue and the patch can be found in the oCERT advisory
[1] and the Python bug tracker [2].

Another related security issue fixed in these releases is in the expat XML
parsing library. expat had the same hash security issue detailed above as
Python's core types. The hashing algorithm used in the expat library is now
randomized.

A few other security issues were fixed. They are described on the release pages
below.

These releases are production releases.

Downloads are at

    http://python.org/download/releases/2.6.8/
    http://python.org/download/releases/2.7.3/
    http://python.org/download/releases/3.1.5/
    http://python.org/download/releases/3.2.3/

As always, please report bugs to

    http://bugs.python.org/

Happy-to-put-hash-attack-issues-behind-them-ly yours,
The Python release team
Barry Warsaw (2.6), Georg Brandl (3.2), and Benjamin Peterson (2.7 and 3.1)

[1] http://www.ocert.org/advisories/ocert-2011-003.html
[2] http://bugs.python.org/issue13703