[BangPypers] Fw: [Python-Dev] [RELEASED] Python 2.6.8, 2.7.3, 3.1.5, and 3.2.3

Thu Apr 12 13:21:37 CEST 2012

It's an important release.

On Wed, Apr 11, 2012 at 03:37:49PM -0400, Benjamin Peterson wrote:
> We're bursting with enthusiasm to announce the immediate availability of Python
> 2.6.8, 2.7.3, 3.1.5, and 3.2.3. These releases included several security fixes.
> 
> Note: Virtualenvs created with older releases in the 2.6, 2.7, 3.1, or 3.2
> series may not work with these bugfix releases. Specifically, the os module may
> not appear to have a urandom function. This is a virtualenv bug, which can be
> solved by recreating the broken virtualenvs with the newer Python versions.
> 
> The main impetus for these releases is fixing a security issue in Python's hash
> based types, dict and set, as described below. Python 2.7.3 and 3.2.3 include
> the security patch and the normal set of bug fixes. Since Python 2.6 and 3.1 are
> maintained only for security issues, 2.6.8 and 3.1.5 contain only various
> security patches.
> 
> The security issue exploits Python's dict and set implementations. Carefully
> crafted input can lead to extremely long computation times and denials of
> service. [1] Python dict and set types use hash tables to provide amortized
> constant time operations. Hash tables require a well-distributed hash function
> to spread data evenly across the hash table. The security issue is that an
> attacker could compute thousands of keys with colliding hashes; this causes
> quadratic algorithmic complexity when the hash table is constructed. To
> alleviate the problem, the new releases add randomization to the hashing of
> Python's string types (bytes/str in Python 3 and str/unicode in Python 2),
> datetime.date, and datetime.datetime. This prevents an attacker from computing
> colliding keys of these types without access to the Python process.
> 
> Hash randomization causes the iteration order of dicts and sets to be
> unpredictable and differ across Python runs. Python has never guaranteed
> iteration order of keys in a dict or set, and applications are advised to never
> rely on it. Historically, dict iteration order has not changed very often across
> releases and has always remained consistent between successive executions of
> Python. Thus, some existing applications may be relying on dict or set ordering.
> Because of this and the fact that many Python applications which don't accept
> untrusted input are not vulnerable to this attack, in all stable Python releases
> mentioned here, HASH RANDOMIZATION IS DISABLED BY DEFAULT. There are two ways to
> enable it. The -R commandline option can be passed to the python executable. It
> can also be enabled by setting an environmental variable PYTHONHASHSEED to
> "random". (Other values are accepted, too; pass -h to python for complete
> description.)
> 
> More details about the issue and the patch can be found in the oCERT advisory
> [1] and the Python bug tracker [2].
> 
> Another related security issue fixed in these releases is in the expat XML
> parsing library. expat had the same hash security issue detailed above as
> Python's core types. The hashing algorithm used in the expat library is now
> randomized.
> 
> A few other security issues were fixed. They are described on the release pages
> below.
> 
> These releases are production releases.
> 
> Downloads are at
> 
>     http://python.org/download/releases/2.6.8/
>     http://python.org/download/releases/2.7.3/
>     http://python.org/download/releases/3.1.5/
>     http://python.org/download/releases/3.2.3/
> 
> As always, please report bugs to
> 
>     http://bugs.python.org/
> 
> Happy-to-put-hash-attack-issues-behind-them-ly yours,
> The Python release team
> Barry Warsaw (2.6), Georg Brandl (3.2), and Benjamin Peterson (2.7 and 3.1)
> 
> [1] http://www.ocert.org/advisories/ocert-2011-003.html
> [2] http://bugs.python.org/issue13703
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/senthil%40uthcode.com