[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()
Maciej Fijalkowski
fijall at gmail.com
Tue Feb 25 14:07:20 CET 2014
On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico <rosuav at gmail.com> wrote:
> On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski <fijall at gmail.com> wrote:
>>> Last issues:
>>> - hash DoS
>>
>> is this fixed?
>
> Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
> thereabouts, and is on by default in 3.3+. You do have to set an
> environment variable for 2.7 (and I think 2.6 got that too (??)), as
> it can break code.
No, the hash randomization is broken, it does not provide enough
randomness (without changing the hash function which only happened in
3.4+)
More information about the Python-Dev
mailing list