[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()

Barry Warsaw barry at python.org
Tue Feb 25 16:22:17 CET 2014

On Feb 25, 2014, at 03:03 PM, Maciej Fijalkowski wrote:

>Oh, I thought security fixes go to all python releases.

Well, not the EOL'd ones of course.

Where's the analysis on backporting SIPHash to older Python versions?  Would
such a backport break backward compatibility?  What other impacts would
backporting have?  Would it break pickles, marshals, or other serialization
protocols?  Are there performance penalties?

While security should be a top priority, it isn't the only consideration in
such cases.  A *lot* of discussion went into how to effect the hash
randomization in Python 2.7, because of questions like these.  The same
analysis would have to be done for backporting this change to active older
Python versions.


More information about the Python-Dev mailing list