(original) (raw)

On 10/04/2013 11:15 AM, Victor Stinner wrote:

2013/10/4 Armin Rigo :

The current hash randomization is  
simply not preventing anything; someone posted long ago a way to  
recover bit-by-bit the hash randomized used by a remote web program in  
Python running on a server.

  
Oh interesting, is it public?

http://events.ccc.de/congress/2012/Fahrplan/events/5152.en.html

Quoting the synopsis:

We also describe a vulnerability of Python's new randomized hash, allowing an attacker to easily recover the 128-bit secret seed.

I found all that while reading this interesting, yet moribund, bug report:

http://bugs.python.org/issue14621

I guess there was enough bike shedding that people ran out of steam, or something. It happens.

/arry