[Python-Dev] Status of the fix for the hash collision vulnerability
"Martin v. Löwis"
martin at v.loewis.de
Tue Jan 17 21:52:02 CET 2012
> I plan to commit my fix to Python 3.3 if it is accepted. Then write a
> simplified version to Python 3.2 and backport it to 3.1.
I'm opposed to any change to the hash values of strings in maintenance
releases, so I guess I'm opposed to your patch in principle.
See my next message for an alternative proposal.
> The vulnerability is public since one month, it is maybe time to fix
> it before it is widely exploited.
I don't think there is any urgency. The vulnerability has been known for
more than five years now. From creating a release to the point where
the change actually arrives at end users, many months will pass.
More information about the Python-Dev