[Python-Dev] Hash collision security issue (now public)

Georg Brandl g.brandl at gmx.net
Thu Jan 5 21:52:40 CET 2012

On 01/05/2012 09:45 PM, Barry Warsaw wrote:
> On Jan 05, 2012, at 02:33 PM, David Malcolm wrote:
>>We have similar issues in RHEL, with the Python versions going much
>>further back (e.g. 2.3)
>>When backporting the fix to ancient python versions, I'm inclined to
>>turn the change *off* by default, requiring the change to be enabled via
>>an environment variable: I want to avoid breaking existing code, even if
>>such code is technically relying on non-guaranteed behavior.  But we
>>could potentially tweak mod_python/mod_wsgi so that it defaults to *on*.
>>That way /usr/bin/python would default to the old behavior, but web apps
>>would have some protection.
> This sounds like a reasonable compromise for all stable Python releases.  It
> can be turned on by default for Python 3.3.  If you also make the default
> setting easy to change (i.e. parameterized in one place), then distros can
> make their own decision about the default, although I'd argue for the above
> default approach for Debian/Ubuntu.



More information about the Python-Dev mailing list